I've met too many senior sysadmins who still espouse the same nonsense about authentication I've seen for years, and it's still wrong.
I'm conducting the security awareness training for $company right now and have a whole section on passwords. Here's the short version. "People choose lousy passwords. People use personal data that they publish online to choose passwords, even those who should know better. InfoSec has made all kinds of crazy rules about passwords to try and make people choose less lousy passwords. Choosing good passwords is really hard, much harder than the rules suggest. Brute force cracking and dictionary attacks are making the minimum length longer all the time. Don't play the game. Get out of the memorized password chosen by humans business." That kind of security awareness training isn't natural, and sysadmins don't tend to teach it in my experience. If anything, most sysadmins I've worked with who weren't in operational security (which is what one job called the crossover between operational sysadmin and security) did their best to teach new sysadmins the worst habits like reusing passwords, choosing simple passwords "so that they are easy to remember", trying to insist on sharing of personal passwords, etc. That's why sysadmins shouldn't just cringe and get upset when the secadmin says that security awareness training is needed for everyone. Security is sufficiently specialized that no sysadmin can be expected to know more than the basics. But I often see that the basics themselves are not understood. I've seen bad security, but others here have given plenty of stories there, so I feel no need to point out some of the issues that can exist. I do need to emphasize though, that it isn't only in one direction. The problems exist on both sides, and it creates bad blood all around. The best defense against bad security from a secadmin is the same as how to defend against bad security from a sysadmin. Education. Teach the secadmin how the system works, let the secadmin teach the sysadmin security, and don't presume that the secadmin doesn't know anything of value. Some rules seem crazy, but may exist as a compensating control to reduce the risk of a particular attack. A good secadmin will explain the problem they are trying to solve and let you try and come up with a new way to solve that problem that doesn't create a new, larger problem. Let the secadmin see the problems you are trying to solve. > On 2014 Dec 4, at 08:48 , Jan Schaumann <[email protected]> wrote: > > Doug Hughes <[email protected]> wrote: > >> Password policies that enforce very explicit lists of things > > On the topic of passwords: are the different aspects -- such as password > rotation, complexity, hashing algorithms, use of vs. non-password based > auth, SSO vs. different passwords for different things -- and the > threats they attempt to mitigate well understood by most system > administrators? > > Do we teach junior sysadmins about these to a sufficient degree or is > this something they (have to) pick up along the way to becoming more > senior? > > -Jan > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ ---- "The speed of communications is wondrous to behold. It is also true that speed can multiply the distribution of information that we know to be untrue." Edward R Murrow (1964) Mark McCullough [email protected] _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
