Attention sysadmins! Here’s how to dodge bullets in a post-Ashley Madison world
You've no time to get lazy
If the Ashley Madison saga has taught us one thing – well, many things, but one main thing – it was never, ever, ever use a work email account for personal pursuits online.
Once trawled, data from the leaked site revealed that thousands of those with Ashley Madison accounts – presumably men, given the site’s overwhelming demographic – had linked those accounts to work domains in government, the police and military.
Data also revealed IBMers led the tech pack of hopeful philanderers.
How can this happen? I can resist anything but temptation, said Oscar Wilde, but what of complacency? Suits are one thing but trying to manage IT staff can be different, especially when it comes to matters IT related, as an atmosphere often pervades of “we know best."
As Ashley Madison has proved, sentiment is not only hard to control – it can be costly, embarrassing and potentially career limiting.
So, here's a helpful reminder of how to avoid becoming a victim, tried and tested in the field.
1. User privileges (and abuse thereof)
We all know that it is absolutely good practice to have separate login accounts and administrative accounts. Admittedly, after a while this process becomes tedious, changing between accounts and multiple passwords. It helps limit malware nasties from spreading due to – hopefully – restricted user accounts as well as potentially deleting documents you didn’t mean to.
We've all read about the accidental rm / that has wiped out a server. Why risk it? If you are the admin, use the admin account for its purpose then log out of it! I have seen this situation occur several times in smaller shops where admins' laziness leads to shortcuts, such as giving their supposedly non-privileged login accounts administrator rights.
Even worse, some just login as the administrator. In a stroke, one of the key security measures anyone can take are wiped out. Of course, you could audit the actions in question but who would be doing the auditing or paying for it. Who watches the watchers?
2. Password laziness
Equally annoying is the need to remember multiple passwords. After the fourth or fifth non-Active-Directory enabled system password has to be remembered, it gets onerous. This one isn’t totally on the administrators.
Sometimes company-enforced password routines become so complex that it is easier to just add a sequential or other random character to the end of the password once you have committed the initial password to muscle memory.
I have worked at a company where people were forced to change passwords for some unknown reason. Everyone typed in a new complex password as complicated as last time (or with a random character on the old one.) One of the passwords would take.
It later transpired that the CTO had decided these ultra-complex passwords were not complex enough. I’d hate to think of the number of helpdesk calls that one created.