What’s important here is that maybe it was due to a human configuration error (and if it wasn’t many other issues have been and will continue to be). With all the technological solutions we have to security issues, we often neglect the human component. This is a bit of a different issue than I wrote about before. Here the issue is configuration. People need to be trained to configure products and review their configuration to check for errors. In most cases this is product-specific training; not the concepts and principles training I normally discuss. We make this point in Learning Tree Course 468, System and Network Security Introduction.
One thing we don’t discuss in that configurations need to be checked and verified. My grandfather was a civil engineer. He had an engineering business with other engineers working for him. One thing he insisted upon was the verifying of calculations and designs. As a young man he told me stories of impossible-to-build designs and miscalculations discovered through this review process. The configuration of a router may not be the life-and-death some civil engineering designs can be, but there can be economic consequences to not checking configurations – including system and network compromises.
So there are two aspects of this issue: 1) train people on the tools they’ll be using, and 2) configurations need to be checked by the person other than the one who created and entered them.
Training people on specific products may or may not require a traditional “class”. People can learn on the job from knowledgeable co-workers. This approach may mean learning only a subset of a device’s capabilities and features, but it may be quicker and just-in-time. Both formal learning and informal learning have their places in this kind of situation and evaluating each for a given situation is important.
Reviewing configurations also requires a reviewer who knows how the device or software should be configured. That means a second person trained (formally or informally) on how the configuration should be planned and carried out. Even writers (bloggers and course developers included…) have editors who check for mistakes. I’ve worked on both sides of the fence and while editing or reviewing may not seem glamorous, it is an essential and rewarding task. It can also help avoid costly and embarrassing mistakes. It is an oft-overlooked essential task.
Do you have someone review your device and software configurations? If not, why not? Let us know in the comments below.