Chronicles
Welcome
Security is everyone's problem but, as a sys admin, you will take the blame should something go wrong with security on your systems or any device within your jurisdiction. My purpose in telling you this isn't to bum you out about your job but to inform you to be proactive in your security measures, follow industry best practices, follow your company's security policy guidelines (if you have any), and, most importantly, document your work. Be sure that someone knows that you did configure those host-based firewalls; you did use enforcing mode in SELinux; you did enforce complex passwords or, better still, set up two-factor authentication and Active Directory integration; you did secure the SSH daemon; and you did limit connectivity to a few systems.
Make better system security your number one priority. It is the most important aspect of your job as a system administrator. I know it seems like I'm harping on the subject, but seriously, it bears repeating – a lot. Why? It's the same discussion (in theory) as talking about the importance of backups: Everyone knows about the importance of backups; everyone is tired of hearing about backups; but if everyone is so up-to-speed on backups, why do they still fail and require yet another conversation?
Backups, by the way, are also a security measure. I hope you knew that. If you ever become the victim of a ransomware attack, you'll appreciate a good backup.
Sure, everyone knows that everyone is responsible for security, but you, ultimately, are the responsible party. And not just for the servers. You're also probably responsible for desktop, mobile device, wireless access point, and web security. Your main purpose in your sys admin role is to ensure security for yourself, your users, your management, and your infrastructure. No wonder many system administrators get a reputation as being ogres or worse. The buck stops with you, and yet all too often your hands are tied by what I call "the corporate sillies." Corporate sillies are phrases that emanate from well-meaning but dreadfully uninformed managers who claim that they're the exception to whatever security rules are in place.
When a manager tells you that their workstation can't be included in regular updates that require reboots because they like to keep a dozen spreadsheets open and it will take too long to reopen them all – that is a fine example of a corporate silly. But who will that manager run to as soon as their workstation gets cryptolockered or damaged by a fully patchable vulnerability? If you guessed yourself, give yourself a big pat on the back.
This is exactly why you must document every security measure that you implement, why you implemented it, and the repercussions of non-compliance. Also note any exceptions that you're forced to allow, such as the one described above. Some people just can't be bothered to do what's right, although it's your responsibility to be sure they do. That sounds a lot like a classic catch-22 situation. Although, I never read the book or saw the movie, I've heard enough examples and references to feel comfortable with using the reference here.
My suggestion to you is to sign up for some security classes, even if you have to pay for them yourself. Earn some security certifications to back up your disdain with current security policy or lack thereof. I know that system administrators hate to write things down, but you must force yourself to do so. Keep a text file open on your desktop for your notes, fixes, accomplishments, implementations, deployments, and so on. You'll be glad you did. Referring to this documentation might be your only defense should things go awry.
Finally, be sure that you have a good backup of your notes or even multiple copies of them. After all, you wouldn't want to have to explain that you had some great notes that outlined your master security manifesto, but they were lost because they weren't backed up, were stolen by malicious intruders, or were eaten by your dog.
Ken Hess * ADMIN Senior Editor
Buy this article as PDF
(incl. VAT)