Alexander Pope’s famous quote “To err is human; to forgive, divine” highlights the common flaw found within all of us – that we make mistakes. While insider risks are a real problem in organizations (whether copying data off unto unencrypted USB drives, clicking on malicious sites/links, etc.), the insiders carrying the greatest risk are the ones with all of the access - administrators. One set of risks is posed by a malicious and/or disgruntled administrator, or compromised administrator accounts. A category of tools known as privileged identity management generally does a good job to address this risk. However, a far more common risk is an administrator just making an error.
A reality of many networks today is the continued increase in complexity as organizations expand and adopt the latest technologies. Security policies also grow in complexity over time, especially as business needs evolve. As such, the workload of the administrator has increased – in many organizations, audits and changes across multiple firewalls that incorporate thousands of interdependent rules have grown well beyond human capability.
In the State of Network Security 2012 survey, more than half of the respondents cited time-consuming, manual and error-prone processes (including poor change management) as the greatest challenges of managing network security devices. John Kindervag, senior analyst at Forrester Research confirms that "Our research shows that a lot of downtime is caused by human error and misconfiguration, the more you can automate the better."
In the conversations I’ve had with end users in the last couple of years, I’ve come across more than my fair share of horror stories where manual security operations processes caused major security issues. For example, something as simple as a mistyped IP address in the firewall could cause a network outage or open a security gap. Research we conducted last year revealed that nearly two-thirds of all security-related network outages are due to human error.
Errors also cause misconfiguration and create unnecessary exposures. Look no further than last year’s breach at Tumblr, where server configuration data was exposed due to a security flaw –a missed opening PHP tag.
Firewall configuration errors are all too common and as I examined in one of my previous columns, change management is often a weak link in the security and operations chain. Think about it – manually pouring through what could be thousands of lines of rules and having to enter or change information such as Source, Destination, Service, Application, etc. leaves a lot of risk in the keyboard. I’d like to think I’m a proficient typist, but with that said, I’ve certainly fat fingered a few memos. A memo is one thing, but a rule in a production environment is on another level.
The administrator’s keyboard may be the most dangerous device in your network, but you can’t just take the keyboard away, you must enable the administrator to do his/her job and remove as many opportunities for error as possible.
Questions you must ask (and be able to address):
• Is there a sound process in place to have the proper checks and balances when it comes to pushing changes to a production environment? Software development for example, has long ago realized the benefits of peer code, as incorporated in many modern development methodologies.
• Where and how can automation be leveraged to help reduce errors commonly found in manual security policy management processes? For example, do you have automation that can validate that a change was executed as it was requested and approved?
Process improvement is an important step organizations should always consider as another pair of eyes reduces the chance that an error can slip through the cracks. Just think about all of the opportunities for error in adding, updating or removing a firewall, DLP or IPS policy. Automation is another key to reduce this unnecessary risk. Automating the analysis of what’s actually going on in your network and automating the change workflow (guiding you through the request, risk analysis and design of a firewall rule change, etc.) can significantly improve accuracy in your security policy and reduce the “human error” element.