This was too awesome to pass up putting here. By way of Mike Rothman comes a post of 16 dirty little sayings overheard in IT. I’ll add my own commentary to them. What makes this an awesome list? I have heard most of them spoken, multiple times.
1. “It’s only a temporary server. It’s not for production use” This is the bane of sysadmins. This request should always be met with, “what is your hard end date, then?” Too often this uttering is just a way for someone to get something done without properly justifying or defending it and I really hate it. Too often “temporary” turns into “permanent” or even “production” without warning or planning. The only thing worse is when they use their own workstation or some other box without ANY warning. “What do you mean you used your test QA machine to host a new critical ticket system?!” Without admins being complete hard-asses, this would happen constantly.
2. “We’ve tested the backups. They read back just fine. Never restored for real though.”I hate this one too, because if there is one thing I think is most important in IT, it is backups. What is worse, though, is *not* hearing this spoken but having it as the unspoken truth. Too many admins never test restores until a restore request. Always test, always verify. I learned this back in science labs in high school.
3. “Patching? yeah. That’s on our list. We’ve been looking at SUS for a while now, just haven’t got round to it.”Another classic task procrastinated in our field. Funny how the fundamentals fall into that basket so often…
4. “Of course staff know about the security policy. They have to sign a form at induction. I did when I started 5 years ago.” …along with the other 55 pages of new employee information that grazed us like a gnat and we brushed it away to figure out where the nearest bathroom is and how to log into our system.
5. “We have documented procedures. Everybody just ignores them. Except me, of course.”I say this a lot, both at my previous job and my current one, but I admit I sometimes go by memory as well, especially for things I know inside and out and I know the steps have not changed. Again, though, for such a detail-oriented career, IT people too often ignore documented procedures.
6. “Our apps developers do their own thing really. I think they have procedures for promoting code, but I’ve never seen them.” This is common too, especially if newer admins were not involved in creating the infrastructure that the developers use to promote code. This isn’t necessarily such a bad thing as long as the admins can support it (per their job) and there is some audit trail available so they can answer who screwed up production when it happens. Security should at least know how they do this, though, so that this risk is minimized.
7. “Users have been told a hundred times not to share passwords”Yeah, the only cure for this is a clue bat. The best mitigation besides that is simply constantly changing passwords and stringing someone up when something really bad happens with a hijacked account due to sharing. Or perhaps legal/HR when told, “Well, they share the account, so you can’t fire one as we can’t PROVE she did it, it could have been either of them.”
8. “Security Policy. Hang on. We do have one somewhere… Dave! Have you seen that policy file anywhere?”Haha, yup! My last company did this every time an audit was at the doorstep. And despite me writing some up, they rarely got signed off up the chain of command and even less were enforced. In fact, they never were…
9. “We’re developers. The sys admins make our job so difficult. We have deadlines you know!”This one sucks, but as much as it pains me to see it, there is that very difficult task of making sure developers and admins are reminded that we’re all on the same team trying to get to the same clouds in the sky. But both sides do also need to admit that they don’t know the full picture. Too many developers have no idea about networking or systems, and many admins have no idea about proper coding and the efforts involved. Security is one thing, but preventing the business folks from getting jobs done is another thing. At the end of the day, if security is holding the business back, the business could lose revenues enough that security is shown the door.
10. “The auditors needed Internet access. WiFi was the answer”Wow, almost word-for-word I’ve heard this a few times. Also “guests” and “clients” could be put in there. My last job put up an open wireless to do this. Thankfully I’ve not experienced firsthand someone putting up wireless without asking (the last job asked), but I have heard those stories from people in companies far more critical and important than mine. Yikes! Are CFOs really that stupid? Yes. And he also thinks he’s too important for parking spaces and so parks in the fire lane.
11. “Compliance? That’s an HR thing, right?”The age-old “who enforces the company policies?” question. HR or security/IT?
12. “A security breach? Don’t think we’ve ever had one. In any case, we’d just call Dave.”In my last job, that would have been me, hehe. This statement just makes me cringe on a number of levels…
13. “The Managing Director wanted it”I think I’ve heard this more than any other utterance here. Someone in authority pulled their weight and said, “just do it,” regardless of how moronic and terrible the task was. I think this right here is where 80% of our stress comes from.
14. “We had a penetration test last year. We passed with flying colours.”Wow, I love this one! Who the hell actally passes pen tests with flying colors? If so, you had a vulnerability assessment, not a pen test. And the assessors sucked. No one truly passes a pen test. Every environment has issues, and if they are not technological ones, they are logical and procedural ones. Given a week on site, I really believe no pen tester should walk away stumped and with nothing to do (assuming full physical access), I’ve seen stumped external attacks against a really solid firewall before, but full assessments should realistically never come back like this.
15. “Yeah, so it’s SQL injection. But our developers tell us there’s nothing of value in the database anyway.”I’ve heard similar things as well, where developers either don’t think about the data or feign ignorance.
16. “Marketing are the worst offenders. We don’t support FTP so they rented a cheap web server and uploaded data to that instead.” Ahh, human ingenuity. Where there is a will, someone will figure out how to do it, even if it is hokey and terrible and insecure and costly and …so on. This is why security needs to be an enabler, and management needs to be behind security so circumvention doesn’t just happen.