We (the security community) all know, and make fun of “Users”, and “Admins”. They are derogatory terms in our community. So much so, that they could almost be classified at curse words. (I can see the XKCD now: Security stick figure talking to IT stick figure. “You stupid A****“).

While I neither discount their “contribution” to making my day fun, I feel that a lot of people miss an even bigger threat: Policies and Procedures, or SOP (Standard Operating Procedures). Those words are virtual kryptonite to anyone in IT, more so to ‘security professionals’.

But what makes them a threat? Two thing:

  1. Everyone hates them so they are rarely updated (you know.. like Windows.. stay with me)
  2. Since they are rarely updated, and sometimes even those that are, are written poorly, or actually create vulnerabilities.

For example lets make all the local admin passwords something really difficult and long, and… all the same so that we can easily administer every machine. This makes it to updates go smoothly and group policy… Oh wait… we don’t have those problems anymore (or at least they aren’t based on local authentication issues).

Now, policies and documented procedures are good things. I’m not saying they aren’t. What I am saying is that when those documented procedures and policies that we blindly follow because the guy that trained me said so, just doesn’t cut it.

Admins: Challenge that policy, find out the reason why you do what they want you to do. The worst that could happen is you could learn something new. The best is that you could change your company’s security posture for the better.

Security Pros: Time to get off your A**** and update the wiki! (or the doc/site/binder) so that your predecessor, or someone new to your team can hit the ground running.

I also challenge you to look at internet policies/procedures… oh wait.. they call those features.