System administrators -- the security manager's untapped resource
By Crystal Ferraro,
SearchSecurity.com
Site Editor
28 Oct 2003 | SearchSecurity.com

It's no secret that enterprise security departments are overworked and understaffed. The key, industry experts say, is to properly arm your first line of defense -– your general IT staff.

Making sure [security and IT] work together is the single most important thing you can do to secure your organization, said security expert Jeff Posluns at Information Security magazine's recent Security Decisions conference. Posluns is founder of Montreal-based information security consulting and privacy firm SecuritySage Inc.

When security departments enlist the help of admins, [they] will actually be able to secure [their] systems. Without it, it's next to impossible, said Ed Skoudis, security consultant with International Network Services.

The size of a security group in any organization is usually out of proportion with the number of end users it must serve. A group of 10 to 20 security professionals cannot be expected to secure systems and applications for thousands of end users. This is where system administrators come in.

Sysadmins are responsible for the care and feeding of the machines on a daily basis. [They] are your first line of security, whether you want to depend on them or not, Skoudis said.

Many security skills are inherent to what system administrators are already doing. There are security functions within all IT jobs, Posluns said. In fact, understanding the difference between IT and security professionals can be difficult, from a hiring standpoint. Ninety percent of the time it's going to be one person with overlap of these skills, he said.

Typical security-related tasks for an IT professional include patching systems, monitoring system logs, maintaining backup systems and following security rules. A security professional, on the other hand, should be capable of configuring for security, administrating security, understanding patches, handling security documentation and enforcing security rules.

Communication provides a bridge between the security and IT departments. For example, the decision to deploy a patch should be made by security staff, who then turn to the system admins and say, 'Here's an issue; please apply the patch,' Skoudis said.

Unfortunately, this isn't always the case. Skoudis said he doesn't often see cooperation between system admins and security staff in his client companies, which include large financial institutions, health care organizations and government agencies. Seldom do they get into the issue of security for just rank-and-file IT, he said.

System admins should be held accountable for two key areas of security: keeping systems patched and looking for anomalous behavior, Skoudis said. They should be familiar with how to patch -– from generic patching practices to the specific tools used by their organizations –- and understand what kind of anomalous behavior indicates an intrusion on specific machines.

When hiring IT people, an important thing to keep in mind is, 'What security skills do they have?' Posluns said. When evaluating resumes, look for IT-specific responsibilities with security functions.

Mike Chapple, chief information officer of Miami-based marketing consultancy Brand Institute Inc., said security skills are always considered when he's interviewing applicants. Because security is a detail-oriented job, he looks for people who pay attention to detail. For those who will contribute to strategy-oriented security tasks such as developing policies, Chapple looks for good critical thinking, reasoning and analysis skills.

Managers should also consider the certifications that applicants hold. While certifications may not indicate expertise in general security strategy, people who hold certs may be appropriate for your first line of defense. This can be particularly true of vendor certs.

Most of the time, installing and operating a product is going to be an IT function, Posluns said. However, if a system admin doesn't know the technology in detail, he won't be able to apply an organization's security policies. This is where vendor-specific certifications can be helpful. For example, a Microsoft Certified Systems Engineer (MCSE) might be able to take care of Microsoft security in your enterprise.

FEEDBACK: As a network or system administrator, how much of your duties are occupied by security?
Send your feedback to the SearchSecurity.com news team.

techtarget