One of the things we were reminded of last week during the SANS presentation was just how bad humans are at estimating risk. I think the assumption that many people have is that those of us who work in IT should be better at it. Unfortunately, it seems that many in the IT field tend to sacrifice good principles in favor of expedience or efficiency, and in doing so increase the risk to an organizations computer systems. A recent e-mail conversation regarding the practices of some our vendors who provide software and services proves this point.
The discussion surrounded whether or not a certain vendor should have sysadmin level access to the county's database servers. The vendor argued that they could not adequately provide support without this access, and that some of their processes required this level of access. The problem with this is that it violates the security principle of "Least Privilege", which mandates that a person or process must be able to access only the information and resources that are necessary for its legitimate purpose.
We know the vendor understands this principle, because it is a part of their software and the practices they recommend, which includes a separation of duties, access control lists to specific functionality and records within their software, and audit logs to track who did what. The problem is, that when this principle starts to make it more difficult for them, and especially when it is outside their own systems, they no longer care about it. It is expedient to just set access to "wide open" by granting them or one or more of their accounts the "sysadmin" role in the database server. But should that resource or account be compromised, it exposes not just their systems, but the entire database server to risk.
While the original conversation focused on one specific vendor, I am not mentioning them by name because so many of our vendors are guilty of it. What makes matters worse is that many of these vendors use the same credentials in one county after another, so if one organization is compromised, all of their other customers may be easily compromised as well. This demonstrates the importance of another reminder we were given during the SANS presentation last week, which was the dangers of reusing passwords.
I believe in this day and age it is vital that we hold our software vendors to the highest standards. They should be endeavoring to adhere to best practices when it comes to security, such as the "Least Privilege" principal, and when they do not, we should demand that they change. In order for this to work though, it will take more than just the IT people demanding that these practices be changed. For starters, there are still many counties that do not have in-house IT people. Additionally many of the vendors tend to place more weight on the opinions of the policy makers and those who hold the purse strings than they do the IT staff.
No matter what our position is with the county, whether it is IT, an elected or appointed official, an employee or even a citizen, whenever we have a chance to interact with one of our vendors, we should reinforce the importance of adhering to best practices when designing, implementing and supporting the software and services they provide.
For more information on best practices when it comes information security, our friends at SANS provide a wealth of free information.
No comments:
Post a Comment