Our team has been laser-focused on security-related topics for National Cyber Security Awareness Month this October. If there is any big takeaway from this exercise, it’s seeing how pervasive cyber security is. Cyber security permeates every layer of technology, every node touched, every person involved — from client, to administrator, to developer, and beyond.
Everyone, at every level, is responsible for part of the overall security of a system. Even the most secure systems can be brought down by a weak password, an unpatched vulnerability, or a simple oversight in design. Ensuring that all layers of a system are secure is done by having rigorous and uncompromising standards and policies in place — and making sure they are always followed.
Our guest blog this month covers how IT teams take all the precautions of ensuring their networks are secure but also that individuals play a big role in the process, by using strong passwords and avoiding phishing scams, etc.
Some will say there is no such thing as too much security, but overly restrictive security policies can have an adverse effect on the usability of a system. Think about a complex password policy that results in passwords that are nearly impossible to memorize — then force the passwords to be changed on a daily basis. A system like this would likely result in users tracking their current password in a variety of ways, some more secure than others (a note under their keyboard, an email to themselves, a sticky note on their monitor, etc). The way in which people cope with the security policies can make the system less secure in the long run. Thus, in all but the most extreme cases, some level of compromise must be found.
Scott’s blog this month helps deal with this exact issue — it deals with centralizing authentication, which puts in place a single sign-on system where one account grants access to multiple systems. This limits the number of passwords an end user will have to keep memorized while allowing for a robust password policy to ensure passwords are strong enough to not be guessed or quickly brute-forced. In addition, he goes deeper into securing user access to systems by managing sudo through active directory and implementation of System Security Services Daemon (SSSD) to manage access to remote directories and authentication mechanisms.
There’s been a lot of focus on the end user, but that is hardly the sole vector of attack our systems must be able to withstand. At the core of any security policy is locking down your servers. This month, Zach’s blog discusses the importance of promptly installing security patches. No password policy can help you if a hacker can bypass a password and gain root access due to an outdated package. If you know of a vulnerability that should be patched, you can safely assume that hackers are aware of this, too.
To wrap up our National Cyber Security Awareness Month blog series, we have Kirk’s blog which is a more general piece dealing with SSH security practices. Definitely a must-read for anyone who administers a server. This piece will go a bit further in-depth than the basics by analyzing several SSH security practices, discussing the pros and cons of the different approaches — including when it is appropriate to implement them, and when it is not.
Thank you for your interest in our security blog series for National Cyber Security Awareness Month. This will be the first of many sets of coordinated articles from us in the months to come. Finally [queue Mission Impossible Theme Music], for security reasons, this message with self-destruct in 5…4…3…2…1…