As I have worked that precise area for most of my career, the overlap between security and sysadmin, I'm well aware of some of the perceived issues.
My biggest battle? The false belief that every improvement to security hurts usability and every improvement to usability hurts security. It is common in people who have been doing things long enough they should know better, rather than just the newer people. Kill that idea in both secadmin and sysadmin, and one can make progress. The answer as far as I've found? First half is a "Technical Gripe Session". A forum with no supervisors allowed where technical people can raise concerns about security both where they see gaps and where they see it as too onerous. Security also uses it to communicate problems they are trying to solve to beta test potential solutions. Invite a few key sysadmins, a few key app admins, and after they understand it really is a "no supervisors allowed", they tend to speak up. The other half is to have people who live precisely in that overlap space, sysadmin skill required (senior level) who are also responsible for ensuring the OS security. They will often catch the security personnel doing dumb insecure things like wanting to install agents that permit arbitrary unlogged command execution as root by the security team (violates among other things PCI DSS 10.2.2, and also a couple clauses of requirement 8 of PCI). because stupid security vendors and scanning. They also can help educate less security conscious sysadmins about why that root owned httpd server is a bad idea. Oh, worst PCI rule? The rule that violates PCI: Requirement to lock or disable accounts after x failed login attempts. That's a remotely executable, no authentication required denial of service attack that is demonstrated over and over again. Since it is a known vulnerability, it must be remediated, per PCI. > On 2014 Dec 3, at 12:32 , Jan Schaumann <[email protected]> wrote: > > Travis <[email protected]> wrote: > >> I'm curious how you're going to use the responses you're compiling? Just >> something informal or will this be for publication/blog post somewhere? > > This is related to a blog post I'm pondering. I'm trying to get more > diverse feedback on what areas require better understanding of each > other's responsibilities versus "just" better communication. > > -Jan > > P.S.: If I double-click the hasthag in MS-Word, it totally works!!1 > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ ---- "The speed of communications is wondrous to behold. It is also true that speed can multiply the distribution of information that we know to be untrue." Edward R Murrow (1964) Mark McCullough [email protected] _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
