What we do is part of the information security apparatus of where we work, and that should be part of our job. Over all, a sysadmin should have enough of a security mind-set to call a hard stop on something that sounds suspicious, even if it does come from a higher level manager. When bringing a new admin on-board it is a good thing to see how comfortable they are with your organization's level of delegation. Such as giving the help-desk the ability to handle password resets and account lock-outs, or allowing the identity-management automation to handle account enable/disable which requires delegating that ability to HR types. In any organization of significant size, trust is unavoidably delegated away from the sysadmin for practical (and sometimes other) reasons. To me, that defines appropriate 'paranoia'.ĭisclaimer: it's possible that there may be trusting types who are perfectly stellar admins, but those I've met who really stand out have all had a very healthy tendency in the opposite direction Our polar opposite is the dear trusting user who sees a box pop up with dire warnings and assumes that the box is intended to help them.Īnd when one wonders whether it's required - how many other business functions get to deny prime access to the owners/VPs of the company? It would be entirely reasonable for our owner to have the keys to every door and file cabinet in this building, but he can't have domain admin rights. ![]() Law and medical professionals can't take what people say at face value, either. There are a lot of fields where you have to assume the worst. We do not click 'Yes' unless there's a compelling reason to do so. We do not give access and then narrow down the "known bad" ports, we shut it all down and then open up what's necessary until it works. ![]() We do not install the default, we hit the "custom" button. From the site trying to serve out malware to your users to the patter of bots and script kiddies on your firewall, it's all about keeping entities from convincing your systems and users that they're trustworthy. I think what you were actually getting at is whether a person's brain defaults to trust mode or distrust? A sysadmin fights a concentrated, neverending stream of confidence scam artists. Soapbox: I also know a few people who use big tools like 256-bit full-disk encryption, and then use a backup mechanism that stores their data in the clear, or worse, on some random untrusted remote server. However, in grad school, with possible novel/patentable or for-publication papers, you might want to take a slightly more secure approach. However, when I was an undergraduate student with nothing but my (not-for-publication) papers to preserve, I would never have gone to such lengths. Why? I have a sensitive contact list, emails, trade secrets and material covered by non-disclosure agreements on some of these machines. ![]() Yes, I use full-disk encryption on all my (work, non-server) machines with available data destruction features enabled, even on my iPod. If you're running a university student network, you can easily afford, say, not to hand out RSA SecurID (time tokens) to students to log in. ![]() If you run a bank's network infrastructure, you need more security, but you can also afford to have more security, since it costs money to train users, to purchase and install new technology, and so forth. You have to balance security with usability.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |