The “hack” done on some Australian defense industries is anything but, and it reminds me that administration of computer systems has fallen off a good bit over the past few years. One of our administrators once left the default passwords on a client system and came within an eyelash of getting fired over it. We were a well respected business that knew security, and sold that expertise to other businesses. Those kinds of companies are not supposed to do things like that. Our clients recognized stupid as well as we did.
The current cases in the news are showing us that bad administration still includes the use of “Admin” or “Guest”as both account name and password. This is stupid. I don’t mean poor judgement, failure to follow proper policy, or mistakes in administration. I mean stupid.
As one of my engineers once said, “Boss, we cannot engineer-out “stupid”. There are a host of things that administrators of all kinds do that fall in this category, but we can’t build security systems that compensate for all of them. It speaks to the lack of education, starting in college, that gives no credible amounts of time to anything Security-related in the curriculum. Some even make it an elective that you can take or not. Security can go look for stupid and try to identify where these kinds of passwords have been used - and should have in those cases. Hacker programs look for those in their password lists because stupid is almost everywhere in the world. But stupid is not just passwords.
I should make up a list for SANS that covers the Top 20 Stupid Mistakes, if it hasn’t been done already. Using one password for administrators across an enterprise comes to mind. Embedding passwords in code. Putting unsecured test system on the Internet is number 3. There are a host of them, probably exceeding 20 since I can think of more at the moment. And, these only involve passwords, which we should have done away with years ago. We have policies in government that required two-factor authentication many years ago, and that was a common finding in inspections - no two-factor authentication had been implemented. Stupid.
No comments:
Post a Comment