Your browser is incompatible with this site. Upgrade to a different browser like Google Chrome or Mozilla Firefox to experience this site.

10 Weak Points of Administrative Security

Date:: Dec. 18, 2020
Author:: James Michael Stewart

Tips on how to close common weaknesses in administrative security

Organizations rely on administrators to do a lot. If you’re admin reading this, you know this far too well. To help organizations reduce their security vulnerabilities and reduce the chances of human error here are 10 weak points of administrative security that we need to watch out for, whether we are an admin ourselves or not.

1. Not using two accounts

An admin account is a prized target of attackers. If such an account is compromised, an intruder can use it to further their exploitations easily. To minimize the exposure of an admin account to abuse, you need to have two different user accounts—one a powerful administrator or root account, and the other a regular limited standard user account.

Most of the daily activities of an admin are routine, such as dealing with email, surfing the web, reading documentation, communicating through chat, etc. Thus, performing these activities with a powerful admin account is risk without benefit. You should be logged in with a standard limited user account, and then only use your powerful admin account when absolutely necessary. And even then, you should use it to launch individual apps or terminal windows rather than fully log into a system with it. This habit will greatly reduce the exposure risk of the most powerful accounts in a system.

2. Running scripts without performing a code review

We’re all human and therefore seek out reduced complexity and inconvenience. To this end, you’re often trying to automate as many tasks as possible. This is a great thing to do, as it allows for consistent execution of tasks and minimizes human involvement. However, such automation scripts should either be written in-house or be subjected to thorough static and dynamic code review before use.

3. Reusing passwords

There is no longer any excuse to reuse passwords. This has been a standard security motto for at least three decades. Every time you need to create a new account for your own use, you need to use a unique password. Never, under any circumstances, should you reuse a password. If you need more reasons why, look up your email addresses at haveibeenpwned.com and spycloud.com, then search using the same email address at checkusernames.com and knowem.com.

4. Cleaning up after resolving issues

Dealing with problems is a core task of the administrator. However, you may not always know the singular solution that will resolve the issue. Thus, there may be many stages of trial and error to find the means and methods that work. Changing settings, installing new drives and changing software are potential tasks to fix a problem. However, if these actions are not themselves cleaned up, removed, or rolled back after a workable solution is found, these changes can lead to more complex problems in the future.

5. Falling behind on software updates

How many times have you read about an organization’s compromise which was made possible because they were months behind on installing updates and patches? Don’t be that company. Stay on schedule by testing, approving and installing updates. Whenever possible, you want critical updates installed within a week and important updates within a month.

6. Not taking into account all endpoint devices

The perimeter of a modern network is no longer as clearly defined today as it was a few decades ago. We have evolved our end-user devices or endpoints from workstations, to notebooks and laptops, to mobile phones and tablets, to voice controlled equipment, to IoT, to apps, and to the cloud. Have you even attempted to make an inventory of every endpoint device that can connect to your internal LAN and either view data or make changes? If not, how can you be sure that you have implemented the necessary security mechanisms to protect the environment?

7. Thinking that cloud security does not need to be evaluated

The cloud is being used as the solution to just about every corporate IT issue. Need more capacity? Go to the cloud. Want higher throughput? Put it in the cloud.

Need more resources? Use the cloud. Want faster adoption of new technologies? Tap into the cloud. However, the cloud is just your use of remote computing services.

You still need to perform thorough and consistent security management of the cloud, no matter who the cloud provider might be. You need to consider whether using the cloud is the right security decision, whether a specific cloud provider/server is able to meet your security needs, and how to test and verify over time that the security provided via the cloud is sufficient and improving as needed.

8. Failing to leave a paper trail

Most security efforts are made better, easier and more cost effective through documentation. While you probably don’t enjoy the task of crafting documentation, more than likely you’ve benefited from it at one point in your career. Whether you consulted a technical spec sheet, read a user manual, reviewed a log file, or checked the notes from an operator, you have benefitted from the documentation effort.

When possible, documentation should be automated. But many types of important documentation cannot be easily automated. For example, when implementing a new solution, the specific design, setup, testing, results and alternations made by the admin to get it working need to be written down. Every action and activity that is performed by you when affecting the operation of the IT/IS should be documented. Documentation serves as a tool in troubleshooting, is a record of events, can be used in training, and may support compliance. A good mantra to adopt is document, document, document.

9. Assuming you will always be present and available

Admins are people. They get sick, they go on vacation, they retire, they even get fired. Thus, as an admin you need to be more self-aware and realize you cannot operate as the keystone of an organization if you want that organization to be stable and viable in the long run. You need to focus on consistency, automation and documentation. The core functions of the organization must continue to work, even if you’re out of the office for days or weeks. If you are replaced or someone fills in while you’re temporarily absent, the tasks of administration should be well documented and clearly accessible to the next person needing to perform the tasks and duties of being an admin. You should avoid keeping secrets, other than your own password. You should not keep to-do lists only in their heads.

10. Thinking you need all the power, all the time

As an administrator, you are important and necessary personnel in every organization. However, you also represent a single point of failure. When one person has all the power, privileges, permissions and rights to all equipment, software, and data, they present a huge risk to that organization. An all-capable admin account provides the human admin a wide berth to make mistakes that can be catastrophic, it enables a disgruntled admin to destroy from within, and it can be a prime target for attackers. When the size of the organization permits, there should be several admins with adjacent or slightly overlapping responsibilities and privileges. This is known as separation or segregation of duties. Implementation of user account control on admins reduces the overall risk to the organization.