Daniel Lowrie here. In this episode of CTF-Walkthrough, we take on a fairly straight-forward boot-2-root challenge. The narrative is a tale as old as time.
Sysadmins, the unsung heroes supporting millions of organizations and users worldwide. The first folks in the trenches whenever any issue arises; the keepers of the keys. The mere humans who even with numerous years of experience under their belts can make some very common, silly mistakes that can lead to big problems in the workplace.
In my previous career, I was you, and I appreciate all you do. So, this post is dedicated to all current and future sysadmins, in an effort to help us all be better at what we do. Let’s take a look at some common security mistakes system administrators make.
Let me start with one that I did in a previous employment. Looking back, it was such a silly mistake, and I can laugh about it now. But back then, I thought I was in for it with my boss!
- Don’t just click through a wizard
Quite a few years back when I was a young, bright IT pro just starting out, I was working as a network administrator for a local company. One day, I was asked to add someone to the enterprise admins group so they could perform a specific task. As a network admin, requests like these are common, and I had done these numerous times before.
So, it’s the end of the day, and I am rushing through the wizard so that this person I was helping could get the access they needed as soon as possible. I got it done and left for the day. And then the next morning came. Apparently, what I had actually done the day before is make said person the ONLY user in the enterprise admin group. In the wizard, you have an option to add someone to the existing group membership list, or to replace the existing group membership list, and while I was rushing through the prompts, I had clicked on the latter.
I had people yelling at me for not having the needed access, I had my boss wondering why all overnight services had failed and no backups were generated, it was a nightmare! In the IT world, we call situations like these an RGE, a resume-generating event, where basically you know you’re on the line and you should start looking for a new job.
Thankfully, we were able to get most of the issues resolved and I was not fired, but I learned a hard lesson about not speeding through wizards, even if I have done them millions of times before.
- Making everyone an admin
Speaking of adding or removing enterprise-level access, raise your hand if you’ve heard of or had worked in an office where the previous sysadmin had given every user administrator-level access. It’s more common than you think, especially in small businesses, where many times it’s an IT department of one. After handling hundreds of requests for access to this, permissions to install that, all the while managing and maintaining the network, and systems, the admin gives up and makes everyone an admin. This is a big security risk for your business. Having administrator access means potentially having access to data they shouldn’t have access to and the ability to make configuration changes they shouldn’t be making.
- Sharing is NOT caring
Aside from making everyone an admin to make life easier, another common mistake sys admins make is sharing administrator accounts. How many admins in your organization know the default administrator or root password? While it might seem like six of one, half dozen of another, there is a big difference between creating an admin account for someone and giving them the root password. Many times, when someone says they need administrative access, it’s over a specific resource or for a specific task. We can be much more specific with permissions when creating and delegating a new admin account. In addition, when sharing admin passwords, we lose accountability. When the log file says the default admin account was used, how do you know who it was? Always try to follow the principle of least privilege, giving accounts only the necessary permissions to do their job, and nothing more. Don’t share the root account and have separate accounts for each administrator.
- Not following password best practices
We are going to break this one down into a few segments because improper password management is such a common problem and could cost your company millions of dollars.
Make sure you always reset passwords when users, and especially fellow IT employees, leave the company. If a disgruntled employee still has full admin access to your company after they leave, they could do some damage right under your nose.
Recycling passwords. Just stop, ok? Do not use the same password for everything. A breach to one system will leave you vulnerable in all others that have the same password. Don’t let users use the same passwords on the same network either.
Not setting up multi-factor authentication when it’s available. Help yourself and your users be less vulnerable to phishing scams with MFA. Yes, it’s a few extra steps, and you will have to deal with people resistant to change, but it can save you a lot of headaches.
Many companies have been in the news lately for exploits because they were storing passwords in plaintext. Make sure you know how to properly restrict permissions to who can view and work in the password file.
Does the acronym GDPR ring a bell? If you store client any sort of client data, including passwords, you must comply with the laws relevant to your business and region. This article is a good reference on managing data and privacy in a global marketplace.
There are many guides out there to help you learn about password best practices, so I’ll leave you with just one more. Don’t configure account passwords so they don’t have to be changed on a regular basis. I know users oftentimes complain that they can’t remember their passwords when they are prompted to change them so often, but you have to help them understand that this helps keep the company safe. Which leads me to…
- Not promoting end-user security awareness training
If security awareness training is not a part of your company’s employee onboarding program, advocate for it. So many of your headaches and so many potential vulnerabilities can be avoided with proper user security training. As tech pros, we can’t assume that users know how to safely use their machines while browsing the Internet or checking their email. We also can’t assume that they know privacy laws and know not to Slack each other user information like customer names and emails.
The good news is that there are a lot of end-user security awareness training courses out there including ITProTV’s course that helps cover the basics. Remember that security awareness training is an on-going effort. As new threats arise, you need to keep employees up to date on how to recognize potential issues. Be sure to make yourself accessible for questions. While some of these security practices, like don’t click weird links in emails seems common sense to us, that’s not the case for all. Try to avoid the potential pitfall of someone being too afraid to ask you a security question in fear of sounding dumb or ignorant in front of the whole team.
- Skipping software updates or not applying patches
Get in the habit of making sure that your team and your users are keeping up to date with software updates on a regular cadence. Many security issues can be avoided by keeping systems current. On your end, you need to make sure you’re applying patches and keeping up with fixes to avoid issues like an attacker or malware getting admin access to your organization. Here is a great article that goes over good patch management practices and common troubleshooting.
- Skipping documentation
The best way to make way more work for yourself than you should ever have as a sysadmin is to forgo documentation and struggle with the same issues over and over again. Taking the time to document the solutions to problems and configurations you’ve made will save you time the next time you have to troubleshoot similar issues. Make sure you’re documenting the scope of the problem, the process you took to fix it, the changes you made, and the final resolution you came to. Make sure you keep this document updated and stored securely.
I hope this list of common security mistakes sysadmins make helps you avoid common pitfalls on the job. Also, if you’re looking to learn new skills or earn an IT certification to advance your tech career, check out ITProTV’s online IT training courses for sysadmins, there is a good selection of topics to choose from for both experienced sysadmins and IT pros just starting out.