Sunday, September 22, 2013

To Remove Sysadmins or not to Remove

Lately, security trends has shared the disturbing idea of removing the system administration function or hiding it into something else … It would be Ok if this was a result of automation or simplification,  but this is not the case here.

The latest description of incidents in the NSA, with two other articles about this with various reports, as well as my own experience with system administration, starts to worry me ..

The article that caught my eye was " NSA Plans to Eliminate System Administrators”
August 13, 2013 SANS newsbites, (Excerpt #1 below)  because it is frankly an insane idea  especially for such a tight security structure as the NSA needs to be. I'm not sure, but the same would probably apply for other similar organisations. Just think back, a few years, how a lot of high end security companies were hacked.

First of all, we need to agree on what system administration is today, with regards to what defines a big system and data breach.

As for the definition of a system administrator and system administration in IT, I like this rather elderly quote:

The job of a system administrator is like this: "On one side, you have a set of resources: computers, networks, software, etc. On the other side, you have a set of users with needs and projects--people who want to get work done. Our job is to bring these two sets together in the most optimal way possible, translating between the world of vague human needs and the technical world when necessary."

"Perl for System Administration", by David N. Blank-Edelman, ISBN 1-56592-609-9, First edition.
from July 2000. It precedes some big meltdown in IT but it is still relevant today

It shows the important role of controlling the system, which also assumes understanding the system and its architecture. Basically it shows someone who is part of the system not an outsider. This is extremely hard to achieve today because of huge size of big systems, policies,  management and organizational issues (same for agencies or big corporations, but where sanity prevails in the corporate world). In How Did Snowden Access All That Data? (August 24 & 26, 2013) (Excerpt #2), from SANS newsbites, this incident is presented in more details and shows the disturbing similarities to common big data breach incidents. If we look back at, the Verizon reports about big data breaches, especially the first one from 2008, what stands out is a set of big unknowns in each compromised system. This report also gives a good description of “A big system” and “A big data breach”.  These big unknowns become all the more interesting when observed from the system administration perspective (Excerpt #3)

This “Unknown” numbers are:
•     unknown data 66%
•     unknown network connections or accessibility 27%
•     unknown accounts or privileges 10%
•     system unknown  7%

This simply means that “unknown” issues were out of the radar, or that no one was responsible for administering such a system or simply a lousy system administration.  In a well administered system such unknowns should be impossible, so why do such unknowns exists and why didn’t anyone care about them? Such data is visible if you do some system mapping or log data analyses, so the right question would be “why no-one in management cares and what is the rationality behind this careless approach.”

When all this is put together it makes a rather scary picture of lack of administration and lack of care and most of all lack of interest in the actual state of the system. I’ll put my money down and say that probably happened because someone was doing some cost cutting, as is usual when removing non-primary-business related part of the organisation.  It is hard to say but this goes for most of the big organisations. In the  “Low tech hacking intro, the author summarized in almost exactly the same situations as to why such incidents keep happening. It is easy to forget that infrastructure today is handling data and that that is the base of your core business, whatever business it is.

As any other problem, of such impact and scale, this should have something to do with the management within this organisations. Removing the system administration looks desperate  and is frankly impossible  since system administration means keeping the system operational. The Snowden case looks like a direct transfer from the Verizon report, the part about consultants and contractors and data breach.  So how can removing the sysadmins function help? Probably in a way that now the owner of the cloud will be the one to blame with future incidents.  It is like renting a car and not checking the state of the vehicle before driving out, so if it crashes it is not my fault, as I was just transporting my precious belongings with it. The best solution would cost more than just applying the best practices and remembering that whatever your business is, it depends on the IT infrastructure.



Here are relevant parts the articles mentioned, since editor’s notes are so interesting
I’ve put it whole quotations below.
-----------------------------------------------------------------------------------------------------------------------
In an effort to reduce the risk of information leaks, the US National
Security Agency (NSA) plans to get rid of 90 percent of its contracted
system administrator positions. NSA Director General Keith Alexander
said that the agency plans to move to an automated cloud infrastructure.
Speaking on a panel along with FBI Director Robert Mueller at a security
conference in New York, Alexander referred to the recent revelations
about the scope of NSA surveillance, noting that "people make mistakes.
But ... no one has willfully or knowingly disobeyed the law or tried to
invade ... civil liberties or privacy."


http://arstechnica.com/information-technology/2013/08/nsa-directors-answer-to-security-first-lay-off-sysadmins/


http://www.theregister.co.uk/2013/08/09/snowden_nsa_to_sack_90_per_cent_sysadmins_keith
_alexander/

[Editor's Note (Paller): A huge revelation to executives of the Snowden
affair is illuminated in this decision by NSA.  System administrators
are powerful - too powerful.  In the mainframe era, IBM and its
customers invested 15 years (1967-1982) building strong controls into
computers, specifically to constrain the power of the systems
programmers.  System administrators are now as powerful as system
programmers were in the 60s and 70s, and are unconstrained.  NSA is in
the vanguard of a major shift coming to every organization that cares
about security. The immediate implementation of the top 4 controls in
the 20 Critical Controls is a core survival task for IT security
organizations. See Raising the Bar for evidence
(http://csis.org/publication/raising-bar-cybersecurity). Organizations
failing to implement those quickly should anticipate an unstoppable
board-level push to outsource system administration and management to
the cloud providers.]
-----------------------------------------------------------------------------------------------------------
The US government is having difficulty figuring out exactly what data
Edward Snowden took while working as a contractor at the NSA because
Snowden was careful to hide his digital footprints by deleting or
bypassing electronic logs. The incident illustrates problems inherent in
the structure of the data systems if they were so easily defeated. It
also appears to refute assurances from the government that NSA
surveillance programs are not subject to abuse because they are so
tightly protected.

http://www.zdnet.com/how-snowden-got-the-nsa-documents-7000019860/

[Editor's Note (Murray): If the user can cause or prevent entries in a
log or journal, then it is not reliable. Admittedly, the
process-to-process isolation problem was difficult when we tried to
solve it with software in expensive hardware.  Perhaps their contractors
have not told the NSA that hardware is now cheap. ]
-------------------------------------------------------------------------------------------------------------------------
Excerpt #3 Verizon report 2008, pg 24:

Unknown Unknowns

Throughout hundreds of investigations over the last four years, one theme emerges as perhaps the most consistent and widespread trend of our entire caseload. Nine out of 10 data breaches involved one of the following:

•     A system unknown to the organization (or business group affected)
•     A system storing data that the organization did not know existed on that system
•     A system that had unknown network connections or accessibility
•     A system that had unknown accounts or privileges  

We refer to these recurring situations as “unknown unknowns” and they appear to be the Achilles heel in the data protection efforts of every organization—regardless of industry, size, location, or overall security posture.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)