Slashdot Mirror
SF Not an Exception In Giving IT Too Much Control
CWmike writes "The city of San Francisco's IT department is certainly not the exception when it comes to allowing just one person to have unfettered rights to make password and configuration changes to networks and enterprise systems. In fact, it's a situation fairly common in many organizations — especially small to medium-size ones, IT managers and others cautioned in the wake of the recent Terry Childs incident."
What was it they said in the 80's about the most common admin passwords?
I really think this type of thing is inevitable with this high level of a network admin. There comes a point where the complexity of the network you manage means that you simply can't report all the inner details and workings to a manager or overseer. Not only that, but with the speed that computers advance, hardware becomes obsolete within a decade, and new talent often times wont have knowledge/capabilities/will to deal with the older hardware that builds up in operations such as these.
Sadly I think the only thing one can do with things this size, is appoint someone and pray he isn't chaotic evil.
I mean, really. What do we have now? The guy loses control, flips out, locks everyone out of the system, they are down for who knows how long as they bring in crackers and consultants and what not, and the guy goes to jail.
But...
If you just waterboard the guy, until he coughs up the password, the system's not down for really any longer than it takes a Windows Update to screw everything up, so you can just let the guy who locked you out walk, instead of putting him in jail or prison for who knows how long.
Waterboard in this case would be simpler, safer, and better for everyone.
This is my sig.
I forget who said that "an elephant is a mouse designed by a committee." Sure, you can get paranoid about network design and control, and give the job to a committee. But that is going to be really clumsy.
The issue here really is not about size of the design team, it is about vetting the guy who does it. ( The guy who is in charge of the network for my business is someone who I really know and trust. He was best man at my wedding. )
They claim that you should have more than one person that knows the password and configuation of the network. I work mainly in small-mid sized business; I have never heard of only one person knowing the password. In fact, the smaller the business, the more the owner wants to know the password (IME). Generally IT doesn't want $random_user to have the admin passwords. Also, everyone that has them is another person that can potentially "lock down" the system (see third para).
The configuration? Well I am not real sure what they mean? Basic configs such as IP addreses and such have been documented at even the shoddiest implementations I have seen. Plus, if you know how to run that server, you probably know or can find and make changes to the "configuration". But if there is only one person at that company that knows that server/technology, well then there is probably only one person that knows the configuation! What should the accounting manager know how to run our servers?
But the bigger issue is that in a SMB, and in my current positions, I could CHANGE THE PASSWORD!!! Doh, they forgot that you can do that!
TFA goes on to say things about hiring an administrator and then an auditor for the admin. WTF? Never heard of this happening in my career. I do know the military uses these methods, but that makes sense for them. The average sign printing company (even a 200 employee company) can't do that.
TFA highlights a situation that we all knew existed... and didn't even give a (reasonable) proposed solution.
No comprende? Let me type that a little slower for you...
When you have already laid off everyone and downsized your IT department to so few employees, its kind of hard to avoid having a single person with so much power.
I Heart Sorting Networks
Cisco should start selling Childs-proof routers! *rimshot*
Tsunami -- You can't bring a good wave down!
Yes, this is prevalent. Unfortunately, no, it has precious little to do with IT.
This quote from TFA is quite true, but universally so. Let's play Business Mad Libs:
"Single points of failure are always bad," said John Pescatore,
an analyst at Gartner Inc. "There should never be one person who is
the only person who knows ____ MISSION CRITICAL INFORMATION ____."
Companies need to make sure there are at least two if not three people
who share the knowledge of ____ BUSINESS PROCESS______. "As a minimum,
require it to be documented and stored somewhere if personnel
limitations say you can't have personnel with overlap," Pescatore said.
Have fun playing the accounting, regulatory, legal, and R&D versions, just for warm-up.
Now, if the business managers weren't smart enough to either know this applied to IT as well as their other divisions, or not smart enough to not recognize that that they needed outside advice on how to apply business rules to IT - well, you have to wonder how well the other parts of their businesses are running.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Of course there will be people in IT who have power, and of course that power can be abused.
Somebody at a television network has the power to broadcast rocking horse porn if they want to as well and there is no time machine to unrock that horse.
The articles hypes up one person being able to abuse power as if it were unique to IT and suggests a remedy that more than one person should have this power, as if this had any bearing on anything, e.g. the ability for the abuser to simply revoke access to others. What, somebody else should be assigned the exclusive ability to revoke? Then that person is the potential abuser. This is silly.
Apparently, a bunch of idiot managers realized all of a sudden that they had GIVEN one person control over a major network, and tried to seize back control. Also apparently, he did not trust them to keep it running properly. (And also apparently, rightly so.)
So where is the "incident"?? What did he do wrong?
By law he might have done "wrong" by not relinquishing the passwords immediately. But by the people of San Francisco, he may have saved them a lot of trouble and headaches. So, he was faced with a dilemma: obey the law, or do the right thing.
Sad.
Whenever I register for a site where my email address is my username, the password I use happens to be the same password that I use for my email account.
With that in mind, I'm going to go ahead and not express any opinions on security.
You call it dangerous, I call it job security.
It's called Seperation of Duties.
As if it's ITs fault. Most companies I've worked at I have pointed this very situation out and usually get overruled based on the cost of doing it "right".
(It isn't enough to have several people with the password, you need to know how to recover if you lose total communication with the guy responsible - ig. died.)
Also it isn't just IT. Last months pay got delayed at my company, which really shouldn't happen since KPMG is responsible for taking care of payments for our company. The reason? The lady responsible for authorizing the transfer was the only one with the passwords to do so, and she was in labor.
Some people on /. think it is best to have one knowledgeable person with all the information so that confidential information is not leaked or changes made without the lead guy being aware.
Others think of the bus rule, what happens if the guy who knows everything about mission critical infrastructure components gets hit by a bus?
That is why I have taken a page from the Sith Lord Darth Bane and apply the rule of two. When I build a network I teach and train one apprentice. Then if they suck I fire them and hire a replacement, but if they are good, when I get bored and decided to move on, I feel confident they can take on a apprentice themselves.
It is neat, clean and simple, better still it doesn't have the rules and complexity of Jedi type systems requiring me to check in docs to a source control system, report changes to managers what don't understand, have managers that don't understand sign-off on things they don't understand and avoid dumb rules like not being able to train techs that appear to old, etc.
Yeh, if you ask me the Republic, I mean Network as a whole is best off with Sith types in charge versus bureaucratic Jedi types.
Respect the Constitution
The more I see on this case the more I think Childs is being set up as a scapegoat. The guy built the networking side from scratch and it seems management were happy with him running it with sole admin rights. Then a new admin comes in and he freaks out and gets overprotective. And a $5 million bail? Murderers don't get that much.
Heheh... heh... it's kind of funny... you can't network people to work on a network.
"Most people, I think, don't even know what a rootkit is, so why should they care about it?"
Everyone knows the name of Terry Childs, but how many people know the name of the manager(s) in charge, the ones responsible (or negligent) for letting this situation continue until it got to this point.
"You asked for it, you got it." and you are spot on because if they don't correctly assess this current situation, and assign blame to the deserving names, then they are only 'asking for it' to happen again and again.
Thats because only the government related ones concern the public. This stuff happens all the time in the private sector. However, private companies can die, the government cannot (as much as some people around here would like it to)
Seems to me that in many cases, the IT department may be rather grossly understaffed (either in terms of # of staff, or # of experienced staff).
Many places I've worked end up with a Lord-of-all-IT situation simply because they haven't got anyone who can replace him* or back him up, or weren't willing to pay for backup/additional/experienced staff.
* male gender used for convenience purposes.
One of my first jobs was a bank teller. Our passwords were sealed in an envelop, which we initialed, and locked in a vault which needed two keys to open.
If the two officers needed my password, they'd open the vault, open the envelope, breaking my seal (letting me off the hook of responsibility).
IT has to learn from banks.
It really depends on who the "one person" is. Committees rarely design good crypto algorithms or protocols, for example. On the other hand, if you just pick the "one person" at random, you risk picking the wrong person.
I guess it's sort of like picking a dictator. If you pick the right person, and hold that person accountable, they will get things done more efficiently than a committee. If you pick the wrong person, they will get the wrong things done more efficiently than a committee.
http://outcampaign.org/
I know people in various industries who consider obscure hacks, lack of documentation, etc "job security."
To me, being the guy who can do it all is great for job security, but the flip-side is that if you're the *only* guy that can handle things... sure, you're semi-irreplacable, but that applies equally to being fired as when you want to take a day off or holiday. Personally, I prefer work-competence as a reason for not being fired, and documentation/standardization as a way to ensure that somebody else can back me up when I want to take a few weeks off (real time off, as in not near a computer and not "on call" with a pager/cellphone going off in my pants pocket next to the pool).
Supposedly that's it, according to some of the articles. He thought a lot of the others were screw-ups, so he kept access to himself. Everyone seemed to know it, as well, right up to the top of the IT organization. A new security person was hired, and that person didn't like the situation (may have come up during some sort of review). They made a point of asking him for the passwords, which he interpreted as "hey, we want to screw up the network - you know, the one you feel really possessive about" and refused. Didn't seem to recognize the authority of whoever delivered the message (don't know if it was the new security person or not). They then sent the police after the apparent master criminal.
Also, while they couldn't make configuration changes (that's what "locked out" meant apparently), the network continued to run, even without his intervention. So he might've been a doofus about this issue, and for all I know a total jerk with no people skills, but it sounds like (crazy access issue aside) he knew his job pretty well.
I suspect the new security person (who for all we know is more of a policy person than a technical person) handled it badly on their end as well, and may have gone for a club (formal meetings, demands) when a lunch conversation might've done the trick. The guy shouldn't have held onto exclusive access, but it sounds like the security person didn't handle it well. Apparently, that individual now fears for their safety, which I suspect is either an overreaction or a further attempt to demonize Childs to make it seem like whatever actions taken are justified.
I have done dozens of Security Assessments/Risk Assessments for City/County/State Govts. In almost every instance, one of the major findings is 'key man risk'. Inevitably, there's always some guy who is the only one who knows the voodoo to make it all work - the whole IT department is one really smart guy, a dozen meatheads, and some management people (sometimes good, mostly bad). If the smart guy gets hit by a bus or quits, the org loses a year trying to catch back up.
You also tend to see a lot of multi-hat positions (Chief Security Engineer/Firewall SME/Lead Network Admin), and mentioning security best practices such as Duty Rotation and Separation of Duties is usually met with a "yeah, right..." smirk and chuckle.
Unfortunately, it's all usually a function of budget + quality of applicants + total inability to communicate effectively with City Council/County Board/etc. to explain why what the PHBs want needs to be properly funded and staffed.
Inevitably, the powers that be decide they need something, and all heads in the room turn to the resident nerd-genius, who immediately geeks out about how he could accomplish it technically using spit and duct tape. The managers unclench when they realize they aren't going to actually have to do their job; what little money there is money gets blown on hardware and software, and the whole thing gets wired up in a perfect example of 'just barely good enough engineering' or a hobbyist project.
It's not really how you expect your local gov't to operate, but they do it all the time. It's kind of like knowing where sausage comes from. Just don't ask.
I've written this one before.
When you have IT people, they're going to have control of your IT infrastructure. Sorry, but there's not much you can do about that. They need access to your data and your equipment to do the job that you want them to do. You'd better find trustworthy people.
This is kind of like complaining, "I have a chaffeur, but I'm nervous that he might go crazy some day and drive me off a bridge, or head-on into a semi." Yes, that is a risk that you'd face by having a driver. And I'm sorry, but no amount of technology gobbledy-gook is going to prevent disaster if your driver does, indeed go crazy.
You face risks whenever you have someone do something for you -- that they might do it wrong, or that they might try to screw you. You're giving them control of some portion of your life. If you're not okay with that, or you don't trust the person that you've hired, you'd better rethink whether you're in the right business...
The Right Reverend K. Reid Wightman,
I'm getting to the point in my network that I'm the only single point of failure.
I'm sorry, Dave, I can't let you do that.
--Your Cisco HAL 9000 Router