As a system administrator, it's up to you to shield your systems and your users from the threats of malware, including viruses, spam, spyware, and detrimental payloads of all types. It's also your job to protect users from themselves – and to defend your company's assets against malicious attacks originating from outside and inside your network. But, there's only so much you can do. You can patch, update, upgrade, firewall, honeypot, intrusion detect, obscure, and minimize to the Nth degree, but you can't remove all risk. You have to draw the line on risk to determine how much of it you'll tolerate as an acceptable amount.
There's no way enforce a policy of zero risk tolerance. That is, unless you are going to unplug all of your computers from the network. You'll have to adopt a policy of acceptable risk. A good example of acceptable risk is to allow email attachments through your filtering system. If you allow users to receive email attachments, which can and do carry harmful payloads, you've decided to accept some level of risk.
Another example of acceptable risk is allowing users to have a local account on your systems. The acceptable risk is that you trust your users enough to keep their passwords secret and to maintain a high level of personal security: locking their laptops, preventing over-the-shoulder spying, using a secure VPN connection, keeping anti-virus programs up-to-date, and leaving the personal firewall on.
The risks associated with local login accounts are that they:
- provide an additional attack vector,
- are susceptible to man-in-the-middle attacks via remote login,
- allow a system intruder to easily backdoor a system later.
Acceptable risk does not mean you are asking for your systems to be exploited, hacked, owned, or compromised. It means you realize there's a reasonable limit to the amount of security due diligence that's possible while maintaining a profitable level of business activity on those systems.
Maintaining an acceptable risk level translates into acceptance of the following aspects of your job as system administrator:
1. Users introduce risks to systems and data.
2. Networked computers are vulnerable to over-the-wire attacks.
3. There are unpublished and unmitigated vulnerabilities in your operating systems.
4. No operating system is secure.
5. Services introduce risks.
Accepting acceptable risk shouldn't keep you up at night worrying about hack attempts, break-ins, defacement, or any of the other dozens of challenges to your well-maintained virtual concertina-wire defense. You should sleep well knowing you've done everything right and everything reasonable to protect your systems.
Part of this risk acceptance process involves a security risk analysis, where you will identify risks, identify loss values, assign priorities, and draft plans for mitigation and remediation.
Your task in this process is to assist in this assessment and to bring your concerns and points of risk to the table during the risk assessment phase. Ultimately, corporate management has the responsibility for risk acceptance. And, should your systems fall prey to some form of compromise, it will be your job to assess the damage and fix what's broken. All in a day's work as a system administrator. It's always a party.
ADMIN Senior Editor