5.3. Day-to-Day Administration
Day-to-day system administration encompasses many activities, but most focus on keeping your computers and networks running smoothly by maintaining equipment, making sure there's sufficient space on the system disks, and protecting the system and its software from damage. Examples include making sure users can't modify system software; checking each new release of a vendor's software, especially fixes to security problems, to be sure such problems have really been fixed; and insisting that users or system administrators promptly patch any security holes or other bugs that are discovered.
It is essential to monitor various groups and news wires, as well as official sites of your vendors, so that you are aware of potential problems. Unfortunately, there are still instances where a patch to one problem breaks something else, especially in cross-vendor situations. The most affluent of organizations maintain test networks in which checks are made to make sure the cure is not worse than the disease prior to pushing out software updates. If you would prefer to get a holiday bonus rather than get more problems to worry about, stay tuned to security web sites for news of troubles with bug fixes and patches.
5.3.1. Performing Backups
Backups of your system and all the data stored on your system are absolutely essential if you expect to be able to recover from a disaster. What kind of disaster? It might be a natural disaster, such as a fire or a flood. It might be a crime, such as a system intruder's meddling, vandalism of your computer room, or theft of a computer or a disk. It might be a hardware or software failure or a user error (e.g., deleting the latest version of a document or the latest release of some development software). Whatever the cause, and whatever the extent of the damage, you will be able to recover eventually if you have recent backups of all your system data.
In a PC environment, many system administrators discover that critical documents on a user's machine often disappear when a disk fails. They can help protect against this by providing personal folders in common space on a server. Users are responsible for the contents of their own hard disks. Failure to have these files in a public storage area is not an excuse at your performance review, when a PC failure necessitates rework.
There are many systems for backup. You should do it regularly. Many organizations have well-defined rules about performing backups; if you don't follow the rules, you'll lose your job. But many other organizations have much looser policies. The scheduling and the extent of backups is far more discretionary. In these cases, it's really up to you. You'll find some general guidelines in the "Hints for Backups" sidebar.
What does it mean to perform regular backups? That's an organizational decision: it depends on the number of users in your system, the volume of work, and many other variables. Many organizations perform a full backup (of every file in the system) every night. Others may do a full backup only once a month, or more commonly, once a week, but they do an incremental backup (of everything that's changed since the last full backup) every day. The best rule of thumb is to back up frequently enough that you can afford to recreate the work that may be lost since the last backup.
Like most security practices, however, backups have a cost associated with them. In this case, it is usually network bandwidth and server capability. You'll need to schedule backups in less desirable parts of the day, so that they will inconvenience the fewest users. If your organization operates 24/7, it may be necessary to host redundant systems, so that one can be backed up while the other is live. Fortunately, improvements in fault tolerance, using technical means to limit any single points of failure, and clustering technology, which entails running several computers in parallel to spread the load and provide redundancy, make this economically feasible. It is not necessary for the redundant system to just sit there when it is not being used, it can share the load of normal processing as well.
5.3.2. Hardware and Software Security Tools
Fortunately, today there's a good variety of hardware and software tools designed to prevent network incursion. As I mentioned previously, one of the most important is the firewall. A firewall monitors communications that pass through it, and it can take action against users that seem to be abusing or attacking the network. In some cases, the firewall monitors the Internet Protocol (IP) address of a packet, and if it is not found on a safe list, or is discovered to be on a "deny entry" list, it deletes the packet from the transmission stream, and usually any that follow from the same unauthorized addresses.
A firewall can also monitor the ports used by a communications session. Each protocol has a unique combination of ports available to it over which to communicate information. Using ports allows several different conversations to take place using the same IP address. However, the presence of communications from unexpected ports may indicate that an attack is underway. A firewall can also silence packets to and from undesired ports.
An intrusion detection system (IDS), on the other hand, usually listens to the circuit, taking note if any unusual activity is taking place. For instance, a certain user that constantly connects to a little used disk drive may be storing information there, either for later theft, or perhaps to be used as a tool in a future incursion. Intrusion detection systems usually have large libraries of attack signatures, that is, lists of the steps attackers typically take or have taken in the past to accomplish some attack. If the pattern of these attacks is repeated in a system being monitored by the IDS, the IDS will likely stop the transaction if it can, and place a page or call to an administrator informing of the attempted attack.
A honeypot, sometimes called a honeynet, is a decoy. It is usually placed in an unprotected portion of the network as a lure to attackers. While unauthorized users are checking out the honeypot, their movements are recorded. This helps further develop the library of attack signatures.
Penetration testing, or pentesting is a programmed, usually automated series of attacks that administrators carry out on their own network. The purpose of pentesting is to locate overlooked vulnerabilities. These are then patched, and communications proceeds. Pentesting may be performed by network personnel or by outsiders contracted for the purpose.
5.3.3. Performing a Security Audit
It's a good idea to check on the security of your system by performing periodic security audits. A security audit is a search through your system for security problems and vulnerabilities.
Check your system files and any system logs or audit reports your system produces for dangerous situations or clues to suspicious activity. These might include: