- Seek Truth and Report It.
- Ethical journalism treats sources, subjects, colleagues, and members of the public as human beings deserving of respect.
- The highest and primary obligation of ethical journalism is to serve the public.
- Ethical journalism means taking responsibility for one’s work and explaining one’s decisions to the public.
Sysadmin by day and IT consultant by night. I drink lots of coffee and solve lots of problems... hopefully.
6,673 wordsaustinjaney.com Guestbook
- Once you are domain joined anyone on the domain can SSH into the joined server.
- You may want to lock down your sudoers policy
- don't assume group nesting will work, SSSD only looks at the immediate users of a group.
- NOTE: Doing this will explicitly allow only members of domain group you listed to log in.
- caps may be required for the domain name.
- (Please don't) disable it completely (by setting SELINUX=disabled in /etc/sysconfig/selinux ) or
- enter the following command for each share you make:
More and more business, institutions, and Individuals are willing to reason that the cost of a data breach is less than or equal to the cost of treating customer data with the same care they treat their own social security number, email password, or bank information. Or at least it seems that way up until the point at which they get caught or become aware that they didn't invest in securing business data. Like many things, the problem is becoming aware of the issue. So what are the key points of failure in becoming aware? What keeps business, institutions, and Individuals from securing important data? These are the attitudes I commonly see, they align themselves nicely with the first 5 stages of grief.
1. Shock: But we don't have anything of value to steal? We couldn't be a target.
There are a couple things in this one that make it interesting. First, it assumes that securing data is about data theft, data theft however is rather benign, what its used for is what causes the damage. All businesses run on data, criminals have a business of their own and they exclusively want your data to be able to use it. By knowing things about you (sometimes even in real time) an attacker can know what you are doing, corporate espionage is a real thing. Depend on their access method they may also be able to appear as you. The other part of this is question implies that data might be the only thing an attacker wants to steal, a computer connected to the internet might be just as valuable depending on what their purposes are. Brian Krebs has an excellent article on this.
2. Denial: We've never had a data breach before.
My favorite quip here is the classic "Well I've never died before, so maybe I never will!" This is perhaps the worst posture and often held by people who fundamentally don't understand technology or that humans get better at any given task over time, including crime. On the flip side, how do you know you have never had a data breach? Often it's the case that people who give this as some kind of reason for not investing in a security strategy are the same people who don't have firewall logs, adequate antivirus, any way to manage workstations or firewalls that haven't seen a firmware patch in over 5 years.
3. Anger: But who would want to attack us?
This one is interesting, the answer might be nobody. Even if the answer is nobody the problem is that most business that has experienced some type of cyber security incident also had that answer. The nature of cybersecurity today happens to be that attacks are not specifically targeted, in other words, your company is not important to an attacker and they don't care about you. You are the complete opposite of special. To the attacker, your email address just appeared in a leaked list or database of addresses, or maybe it was in a mailbox or address list of someone who already got hacked. Its likely if your an older company or organization that you have some email addresses sitting out there, check have i been pwned it's better to know sooner rather than later. Nobody is probably targeting you or your organization but somebody is always targeting everyone, targeting everyone is much easier than targeting someone.
4. Bargaining: Having security is inconvenient and slows business down I only want to secure things that don't have an impact.
This is in some cases true, treating customer data correctly does mean in some cases that extra care must be taken to ensure it is managed properly. Being a sysadmin is a lot like being a private butler in that regard, your IT staff are stewards of the precious data your company uses to make money, so are your accountants, your salespeople and your janitors (yep, they probably have access to every unlocked workstation at night when they are cleaning). If you only secure things that don't have an impact than the only things you will secure are things you're not impacted by.
5. Depression: There's no way to secure everything and criminals getting into our systems in inevitable.
Cool, go ahead and put that on your website. This is the most dangerous attitude and companies that have it when found out typically don't end up doing business anymore. The price of IT security is eternal vigilance.
- Reduced size of IT staff created a dependence on undocumented automated processes.
- Note: When Sysadmins are busy and alone they don’t document anything, in this case, Dennis just didn’t care but worth keeping in mind, if documentation is your priority and your sysadmins can’t seem to do that it's probably not because they don’t care. Sysadmins are typically nerds and nerds love to brag about how cool the thing they just built is, sysadmins do this through documentation, its a personal priority for anyone who takes that role seriously, so if its not getting done odds are its because management hasn’t provided IT with enough “Free Time” to do so. If your a manager check yourself before you wreck yourself.
- Inability to step away pinned the stability of Jurassic Park to Dennis instead of an IT team.
- Lack of properly configured logging and alerting systems, Dennis should never have been able to run code against the security system without it first being checked by teammates. Source control is important.
- Lack of redundant systems (Ironically those systems that should have been there to prevent a T-Rex from eating the company lawyer, that T-Rex might be a subtle allegory for ransomware or other system calamities)
- Lack of adequate logging/alerting systems for the systems Dennis was responsible for.
- Lack of antivirus systems or properly configured workstations, even though what Dennis wrote was not technically malware if a sysadmin can write code for your systems without it being authorized and signed through a code signing process it mine as well be. Having some form of application/code whitelisting such as app locker is critical in the modern enterprise.
- Our passwords are in a password manager
- Our primary systems are redundant with backups
- Our network is designed to reasonably handle internet outages and gateway failures
- We have antivirus and reporting squared away
- There are a variety of workstations I have left prepared to be deployed in case of hardware failure or in case my process for provisioning new workstations is not understood quickly enough to meet an immediate need.
- In the event that my plane crashes in the Pacific and I’m eaten by sharks the documentation I’ve left behind should be informative enough for another sysadmin to do my job and meet business needs quickly.
I was in Starbucks the other day and overheard a local computer tech helping someone reinstall windows on their laptop, the tech left and I started a conversation with the laptop owner. His laptop had been infected with ransomware and he, unfortunately, didn't have a backup. We had a short conversation about backups where the painfully obvious was stated and not much more. Having backups may not sound like a security strategy but that's because many people think that security is about protecting yourself from bad guys and internet scams. Security is not about protecting yourself from "hackers" cyber criminals, malware or online scams, it encompasses a much wider practice. Security is the art of protecting time. In the case of the man I met at Starbucks what he had lost was documents that he spends time writing, pictures he had spent time taking, bookmarks he had spent time finding, business data he had spent time working on, and a computer he now had to spend time getting fixed using money he had spent time earning.
Correctly thinking about security depends on what you are trying to protect, for most people at a minimum that means their own time, for people like my self who have chosen IT as a carrier that means protecting the time of others as well. To best do that its important to have a working definition of what security means. I define security as:
"Security is the art of protecting assets, knowledge or time in such a way that the “Cost” of destroying, disrupting, or disappearing them is insurmountably high. The “Cost” of attack is equal to the amount of either negligence or effort that you or an attacker must take to destroy, disrupt, or disappear the protected asset. Realistically if someone is able to pay the “Cost” in either time or money to conduct the attack they can compromise your security."
The following is the collection of advice I wish I could have also given him but just did not have the time to, this is also advice I give to family members, coworkers, and people like you who stumble across my website. This is how you increase the cost of an attack.
A. Securing Online Accounts
- Use a password manager and avoid reusing passwords across sites like the plague, side note: it is the plague. LastPass and 1password are a great starting point. There are likely many other good online options. In my opinion, the most important thing about a password manager is that it be zero knowledge, meaning that the company running the service your using has no way to decrypt the data you entrust them to store. If you don’t like the idea of storing your passwords online take a look at offline options such as KeePass, password safe, or perfect paper passwords.
- Enable 2nd-factor authentication on all your accounts, especially your chosen password manager.
- Setup for the email account/s you use.
- Recognize the human error factor, humans make mistakes. When you use the web make sure you're using an adblocker to avoid malicious advertisements that might lead you to a phishing site. Ublock Origin is great for this. Using 3rd party DNS is also a great help, Q or Greatly increases your security at no cost and is fairly easy to set up on your router or computer.
B. Securing The Personal Computer
- Don’t use an admin account for every day computing this applies to macOS, Linux, and Windows no exceptions. Follow the .
- Data security is just as important as account security in most cases, having backups is the best way to secure your data from accidental deletion, corruption, and ransomware. is free and does a great job backing up your entire system.
- Run an up to date version of your operating system and preferred web browser and ensure you have security updates installed.
- If your computer does get infected just nuke and pave. If your system has been compromised it truly is the only way to be sure your safe again. Make sure you have a good backup, erase the internal disk, and reinstall your operating system.
A note on Antivirus Software: I did not mention antivirus here for the reason that consumer-grade antivirus systems seem to change like the wind lately. In general, if you're looking for an antivirus system I would recommend looking at reviews from IT people as they will spend a lot more time than you can imagine looking at antivirus solutions for their respective companies. Nearing the end of 2017 I had begun to see a rise in malware that exploits antivirus systems to compromise the systems they were designed to protect, in general, your best antivirus option is having an up to date computer with the most recent security patches installed and following best practices, B.1 is your best bet.
C. Securing The Data
- , If your data is not following 3-2-1 backups your data does not exist. Make sure you can restore your backups.
- If your storing sensitive data in the cloud use some form of “pre-internet encryption” for windows, mac and Linux is probably the golden standard but there are other encryption tools, even having an encrypted zip file is better than nothing. Note: password protected and encrypted are different things. Know the difference and use the right one.
- Back up everything. If its unimportant data back it up, if its important data back it up again. The number one reason important data cant be restored is that someone didn’t think it was important and thus did not back it up. If you backup everything all the time this is an easy pitfall to avoid.
D. Securing The Network
- If your router can be found at consider getting a different router or looking for firmware updates the fix the issue listed. If your router does not have firmware updates or a fix for a known issue then its time to get a different router.
- Take a look at what has to say, if your router has open ports make sure you have NAT enabled on your router. The best option to avoid potential conflict is to simply not be there “True Stealth” is the result you want from the ShieldsUP! test.
- If you have internet of things devices on your network use the method to separate out your network.
- If you have WiFi make sure you're using a good password, only use WPA2 or greater authentication and disable WPS if possible.
- Use a 3rd party DNS server on your router Q or are good options. To find out what DNS server is the quickest around you run the from GRC.com
- If you don’t require devices in your wireless network to talk to each other (this is rare) or have particular devices that don’t need to talk to other devices for any reason consider putting those devices on your guest network. Doing so will isolate those devices from the rest of your network making them less risky.
E. Securing the Human
This is the hardest part, even if you have done everything else correctly we are only human and are going to mess something up. Securing the human part of the system comes down to checking yourself as you use your technology. There are a lot of moving parts to this but in general, the following are true and if followed will make you less of a risk to yourself.
- Always Go to the Source, if you receive a phone call from your bank and they want to verify your social security number over the phone just hang up, Google your bank's phone number (or look on the back of your debit card) and call your bank. If it truly was them then your good to go, if it wasn't congratulations you have just evaded an attack. The same applies to handling email phishing messages. A common email I've seen is a message warning that your inbox is about to run out of space. If you click the link it then prompts you to login to your cloud email. The right thing to do is ask your email admin if you are running out of space or go to the source and find out if you are approaching a space limit. By going to the source almost all phishing attacks can be thwarted.
- TNO, Trust No One. Criminals don’t target computer systems they target people. Be cautious about giving out information. Well designed systems and services shouldn't require you to have any trust in the people running them for your data to be safe.
- If it's too good to be true… (you know the rest of this one, your mother told you, my mother told me, the attacker's mother told him we all know this.) SPOILER ALERT: it is. There is no Indian prince willing his inheritance to you and there is no free iPad you won. There is always a phishing campaign in the works run by smart people who are looking to make you the sucker. Think about the cost of a phishing message, how much it cost you to send an email? Right… if it only costs the bad guy a couple minutes of their time to try and cheat people out of their money then guess what they are going to try and do. Furthermore, attackers have reduced the cost of an attack by using automation. The result of this is that its no longer a couple minutes per person phished its a couple minutes per millions, and its target is not you… its target is everyone.
- is a great site that will walk you through what you should be aware of.
- is a great resource for reactionary advice.
- There are a lot of good insights from the page at the EFF.
- Roger G. Johnston, Ph.D., CPP is a great read and provides lots of insight into the nature of security.
- Microsoft’s is a great read for fellow systems administrators as is the article
Final Thoughts: We live in a world now where hackers are driving the cost of attacking systems down by having systems and automation do the attacks for them. said it best I think “Eternal vigilance is the price of security”.