I recently wrote about the problems associated with not understanding common attack techniques when designing an IT environment. I consistently see another factor in breaches: bad hygiene. This encompasses things such as:
- Missing patches
- Default passwords
- Weak passwords
- Unmanaged systems
- Bad ID management practices
My observation is that, at least in some organizations, many of these items are viewed as “compliance problems”. Administrators don’t often see the linkage between bad hygiene and security breaches. For the most part, these hygiene problems will not enable an initial compromise, though they certainly do from time to time. What I see much more frequently is that some unforeseen mechanism results in an initial intrusion, such as SQL injection, spear phishing or file upload vulnerability, and the attacker then leverages bad administrator hygiene to move more deeply in an environment.
Most man-made disasters are not the product of a single problem, but rather a chain of failures that line up just right. In the same way, many breaches are not the result of a single problem, but rather a number of problems that an attacker can uncover and exploit to move throughout an organization’s systems and ultimately accomplish their objective.
It’s important for network, server, application and database administrators to understand the implications of bad hygiene. Clearly, improving awareness doesn’t guarantee better diligence by those administrators. However, drawing a more clear linkage between bad hygiene and their security consequences, rather than simply raising the ire of some auditors for violating a nebulous policy, should make some amount of improvement. That is my intuition, anyhow.
Security awareness is a frequently discussed topic in the information security world. Such training is almost exclusively thought of in the context of training hapless users on which email attachments to not open. Maybe it’s time to start educating the IT department on contemporary security threats and attacker tactics so that they can see the direct connection between their duties and the methods of those attackers.