Sunday, October 07, 2001

Network Security

In a recent email bulletin, David Raikow of Smart Partner Magazine seems to blame the spread of the Code Red virus on bad systems administration, citing that Microsoft had released a patch that would block the virus one month earlier.

While he doesn't draw any solid conclusions or make any recommendations in his article (!), the implication is that sysadmins are a weak link in allowing their systems to go unpatched.

This is completely unfair! It is ignorant to blame the sysadmin when the balance of stability, functionality and security breaks down. I believe this is true for many reasons:

  1. most sysadmin groups are understaffed and under-budgeted. Reduced staffs cannot keep up on the list of new patches, determine their impact with other software systems and find off-peak times to install them.

  2. more attention is paid to internal issues than external ones. Does email work? Can the users print? Those types of fires are fought continuously, and prevent most small sysadmin groups from addressing more complex issues like security. How about huge issues, like switching colocation facilities when your provider files for bankrupcy?

  3. sysadmins are not application or QA engineers. If the sysadmin applies some patch, and the whole system breaks, they get 110% of the blame. Any complicated patch must be put through the standard release cycle (you have one of those, don't you?) so the applications can be retested in this new environment.

It would be interesting to watch the upgrade progress of Apache. I know many sites that run 1.3.6 or 1.3.9, updating only when they hit a serious bug (typically a incompatiblity of some kind). I doubt many of them know that Apache is something like 1.3.20 now!

Blaming sysadmins for poor security practices is like blaming the CFO when a company doesn't meet the sales goals. Was the CFO involved? Sure. Are they the one to blame? No way.