Confessions of a Network Administrator – Stop Creating Bad Policies – Outsource Yourself

Several years ago I successfully convinced a company with hundreds of productive employees to have everyone change their network password every 90 days, and to enforce the use of complex passwords. The network accounts controlled access to email, file and print, and indeed their very computer.

Naturally, some users were enraged. I thought that I was making the network safe, and that they were lazy and irrational. I was wrong.

### … Paved with Good Intentions ###
Now of course I was well intentioned; I wanted our network more secure. One part of my job was to assess, propose, and promulgate more and better security. After all, it would be harder for the bad guys to get to our company’s confidential data if we made the passwords harder to crack. I demonstrated this by running a network crack tool against the computers and thereby cracking somewhere between 10-20% of the enabled accounts.

### Less Security, Not More ###
But the policy resulted in a less secure network. Why?

* People could not remember the new passwords, so they wrote them down on paper, and placed them near their computers.
* People could not remember the new passwords, so they had to be reset, which meant there was an amount of time when the people could not do their work because they were waiting for an administrator to help them (not to mention that the administrator could not do other work when helping them).

### What is Security? ###
If we take a step back, we need to ask the question of security _for what_. That is, what does security mean? I have a presentation somewhere that flushes out all the meaning to the concept of access. Reliability, data integrity, access control, all of these come down to access. If security is cashed out in terms of accessibility, then we simultaneously denied access to our own resources to our own people, at the same time making those people who had a more secure password less secure by forcing them to create new and hard-to-remember passwords.

Yes, yes, I hear you say _but there are mnemonics to help with password recollection_ and I completely agree. I have taught them to many people. However, what are we really doing here?

### Intervention at the Edge ###
This approach of a monolithic policy caused havoc and a loss of productivity, while at the same time giving us a warm and fuzzy feeling of being more secure. We have an enforced policy! The lawyers were proud. A defensible position, in legal terms.

We can contrast this with another approach, which I don’t have a good name for, but let’s call it __intervention at the edge__. This is where instead of creating a policy, let’s say about firing all people who watch pornography at work, we just drop in a network sniffer and send anonymous messages through the browser that those few people having a naughty peek at work shouldn’t be doing that. Wow, behavior changes, problems averted. No HR involved, no attorneys, no careers ruined. Much less time involved, results achieved.

### Outsource Yourself ###
Those network administrators working in corporate IT departments should take as their goal their own outsourcing. That is the only way to really conceive of the changes that are going on in the industry and the appropriate response to them, professionally. This is also, paradoxically, the only way to make oneself valuable and prevent ones’ own outsourcing.

What I mean is this: consider that every action taken (policy or non-policy) will result in more work or less work in the future. Also consider that every action will result in more or less work for the non-IT people. Consider finally that every action will have an effect on access, the core concept of security.

If a course of action will take more of your time, more time of others, or give yourself or others less access to resources, it should be regarded with deep suspicion.

### Folly of the Administrator ###
I have recently heard of the ongoing folly of administrators who do such things as block access to YouTube and Gmail. Why? If employees are spending company time and network resources on non-work activities, then there is a bigger problem that should be dealt with at the level of individual performance. However, is it conceivable that these and other blocked sites might be useful to an organization? If so, then blocking them is denying access to resources. In addition, the idea of turning wasteful employees into virtuous ones through legislation is a folly that has existed for millennia. There is plenty of evidence found in the histories of Seutonious and Tacitus.

Silicon Valley is considered the most productive place on the planet. This the place where Gmail and YouTube were invented, and no less consumed to the highest degree. And yet, this contradiction of dramatic productivity and equally dramatic time-consuming activity with these seemingly irrelevant resources doesn’t give pause?

### Policies should be about the Future ###

I have had the sad task of being a part of a committee promulgating network policies for a university. The experience was one where I found myself as the lone voice crying out for us not to legislate the current ad hoc administrative practices (turning them into rules that would then require action by the Board of Regents to actually change). As the only student on the committee, it was seen as natural by university administrators that my suggestion be ignored.

Policies should help guide future actions, not past practices. Policies should be about giving more access to more resources, and not restricting access. In other words, we need to do __the exact opposite__ of what network administrators tend to do.


0 thoughts on “Confessions of a Network Administrator – Stop Creating Bad Policies – Outsource Yourself

  1. Hello Mr. McNeill,

    I could not agree with you more that the key to a solid security program has more to do with the holistic aspects of security than it does with simply placing larger more expensive locks on the doors. If you take a look at the history of the information security industry it has developed largely out of panic and fear, with vendors quickly popping up to capitalize on that market and help perpetuate the fear. This fear was developed by IT professionals that remembered working in a time when information security was more about information physically walking out the door than it was about remote intrusion over the internet. In turn, we now live in a world where information security is more audit driven than it is business driven.

    The good news however is that times are changing, albeit slowly, and organizations are employing individuals academically educated in information security. With that education comes an understanding of the modern day business and the business benefits of using Web 2.0 technology. These professionals understand the need to be more flexible while still maintaining a strong posture on protecting the Confidentiality, Availability and most importantly the Integrity of an organization’s technical infrastructure.

    Each of these three items (Confidentiality, Integrity, and Availability – CIA) play a unique and important role to any organization. If you are dealing with the department of defense Confidentiality is obviously a big issue, if you are an online retailer Availability is one of your priority problems, and if you are unaware if the information you are working with is legitimate and free from malicious manipulation, Integrity is a significant factor. In my opinion, data integrity is the most important of the three. How can a business possibly operate if it is not sure it can fully trust the data it is working with.

    Passwords are also still a big issue, for without them any of the three fundamental of information security (the CIA) can be easily circumvented. However, there are some rational alternatives. Two factor authentication provides significant protection and will allow the use of less stringent passwords. Another alternative is to have longer more complex passwords that are not as easy to crack which provide you the benefit of allowing less frequent changes. This will certainly not prevent them from writing the passwords down, but it has been my experience that frequent passwords changes are a more difficult experience for users than longer more complex passwords with less stringent change requirements.

    You also touched on another interesting item. Account lockouts. Accounts lockouts are a bad idea period. Account lockouts and account lockout durations lend themselves to being more dangerous than helpful. For example, suppose your organization has a web presence for internet based email, such as a portal for Outlook Web access. With this login page freely accessible to the internet an attacker could potentially run through the gamut of accounts within your organization (because they are generally the same as the pre @ in their email address) and lock out every employee’s account. This would not only flood the IT Help Desk with calls but has the potential to lock out those Systems Administrators and Help Desk staff as well.

    The dangers of blocking web based email is also an interesting topic. The problem with web based email, from an IT standpoint, has less to do with productivity loss (that is an operation issue not an IT issue) and more to do with the fact that these accounts are new vectors of attack into your organization. In fact, the free public email systems are generally the first ones flooded with new viruses. So organizations choose to either block entry points or risk new infections coming in. Yes defense in depth and having client side antivirus can help avoid some of these issues, but how often are the client side antivirus definitions updated as compared to a new virus that spreads through the world in under an hour. My solution to this is by way of filtering this internet traffic before it ever reaches the client. If software can understand and read the web surfing traffic, and potentially virulent attachments before they reach the client, then the need to block these sites within an organizations technical boundaries is significantly diminished. Granted this does not protect the organization from laptop users that visit these same sites when they are outside the organization (and bring infected machines back into the office). However there are newer technologies to help alleviate these issues as well.

    I recently wrote an article for Baseline Magazine outlining what I see the be the future landscape of Information Security, focusing more on your information and the streamlined operation of your business, than on rigid endpoint controls.

    The article can be viewed online here:

    Scott Christiansen

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s