...or the lack of it, really, at least according to a GAO report that was on the news a couple of days ago.
Problems included lack of encryption (for sensitive data), improper or missing authentication and authorization of users before they accessed sensitive information, and improper or default configuration of network devices.
Usually, network devices come with a default password that's a pain to change because each piece of hardware has a different management interface. Let's say you have five network devices - two switches (from different vendors), a router, a bridge, and a gateway.
Each device will have a unique website, a different way to set passwords, and a different way they can be accessed. The point is that a lack of common management interface leads to some very lazy administrators.
Here's my recommendation:
All you network hardware vendors -- can't you work together to create A SINGLE interface that could be used to work with the multitude of devices!?
It'd make life a million times easier for everyone, and make the environment a lot safer. I'm not about to go into the details of what such an interface should have, and would entail, but maybe later.
For now, this is what the FBI should do:
a. Follow a proper process that would track every piece of hardware from cradle to grave
b. Make people responsible and accountable for changing passwords every 2 months (or as often as needed per the security policy)
c. Make sure the results of the password change are updated in a document that lists those devices that could not be modified (maybe they're getting serviced, or were down for some reason), and get to them ASAP
d. Provide a checklist to any manager that has people reporting to him, on whether his employees (and he himself) actually needs access to any sensitive data. Be harsh and do not be afraid of treading on egos - do what is important and necessary to keep the country safe. People who mind on the basis of ego are eminently dispensable, and could prove dangerous in their efforts to satisfy their power-hungry needs
e. Every vendor that supplies to the FBI MUST supply a password that is tough to crack (the default password should satisfy existing requirements) - maybe not ALL criteria should be revealed to the vendor, but a few, such as the length, inclusion of special characters, etc should be mandatory
f. Use a password management software to make sure these devices are in compliance at all times (as opposed to 'b') if resistance from people is high
g. All changes should go through Change Management control and sign-off must be received from the proper authorities before changes are implemented
h. Audit the entire organization every 6 months - this may seem too frequent, but it's completely worth the time and effort. After the first 3-4 audits, the time and effort required for each subsequent audit should reduce as long as compliance rules are being properly followed
i. DO NOT make exceptions at any stage - as the cliche goes: a chain is only as strong as its weakest link
j. The default access for any device in its original, default configuration should be DENY_ALL, and then it can be configured to selectively permit traffic and users
k. Use RBACs and ACLs to control, limit, and deny access
l. Use strong and detailed logging at all levels. Storage is cheap - lives are not
Be safe!
skip to main |
skip to sidebar
Security = ConfidentialityIntegrityAuthentication Confidentiality because you don't want others to "see" your data. Integrity because you don't want others to "change" your data. Authentication because you don't want unauthorized persons to access your data.
No comments:
Post a Comment