Computer Security Basics

5.1. Administrative Security

Administrative security falls into three general categories:

Overall security planning and administration

This category includes working with management to set a security policy for your organization, publicizing it and gaining management support for it, performing risk analysis and disaster planning, monitoring employees, training users, answering their questions, and so on.

Day-to-day security administration

This category includes creating accounts and assigning security profiles for usersfor example, their initial passwords, their password controls (e.g., how often they must change their passwords), their login controls (e.g., what hours they can log in), making sure there aren't security holes in your system, and so on.

Day-to-day system administration

This category includes keeping the system running, doing daily backups, trolling for breaches, and testing the condition of hardware and software used to sustain operations in times of stress or attack. This type of system administration is vital to any system. Although these mundane tasks may not seem especially security-relevant, they're actually vital. Remember that "availability" is a key goal of overall computer security. Day-to-day system administration keeps the system available.

This chapter provides some guidelines for sound administration. Most enterprises today are a heterogeneous environment, that is some legacy functions reside on creaky old mainframes, some business critical processes are accomplished on a fairly modern computing core, and lots of client server networks unite a mixture of Windows and Unix users. Wireless implementations accommodate drop-in users and guests, as well as worker who insist on carrying their work to the lunchroom with them. There may even be a layer of mobile devicesPDAs with radios built inby which a few workers keep in touch with each other during meetings. Each of these systems requires its own series of administrative practices, and each requires administrators to carefully develop security policies regarding its use.

Actually, in some respects, the highest levels of security are the easiest to attain. Most ultra-sensitive systems use an air wall, that is nothing goes in or out. Each terminal or workstation connects to its own network, and that network goes nowhere else. None of the users' devices are equipped with floppy drives or removable media. And rogue wireless devices (or in the old days, rogue modems) are usually considered contraband in this environment.

This environment is practical only in a few disciplined organizations. Most organizations connect users to some kind of server or server cluster via a local area network, and the LAN usually connects at some point to the Internet, usually via a firewall. As this arrangement is most common, the bulk of security policies apply to it, although password administration and certain other tenets, such as division of duties and least privilege certainly apply no matter what server and network configuration is in effect.

Fortunately, the more esoteric the network, the more administrator documentation the vendors supply to describe the security features of their systems. If your organization has government contracts, you may need to observe more stringent security policies established by the government for high-security sites. When your organization gets a security clearance, you'll find out the details of what you need to do.

It is in the vast bog of PC LANs and wireless networks that most security is made or broken. Because of size, staffing, or budget, some organizations may not have dedicated system administrators charged with security administration. In this case, the burden of security administration is likely to fall on the existing system administrators. If your organization can't afford full-time system administration, or if you don't have the appropriate staff to administer a security policy that adequately protects your equipment and information, you should consider hiring a security consultant on a short-term or periodic basis. Such a person can analyze your security risks and needs, help you set up a workable security policy, and conduct periodic security audits. (See the discussion in the later section "Performing a Security Audit.")