Lack Of Manpower Leads To Insecurity

The "PHPBB Password Analysis" blog entry here on Dark Reading by Robert Graham offers some truly interesting insight into how users choose passwords -- great info for infosec pros and hackers alike. What I want to point out is something Robert mentions about the phpBB hack in his company's Errata Security blog that goes into more detail about the incident, including mitigation ideas. The people handling phpBB.com "didn't have enough manpower to get the patch installed before they were hacked," Robert said.The group responsible for phpBB.com certainly deserves credit because they are helping with an incredibly popular open source project, but can you imagine what would happen in the corporate world if the same happened? What would your boss say if you told him all of your accounts had been exposed and that cracked passwords were on the Internet because you didn't have the manpower to patch your systems to prevent the exposure?

Now, I will admit that I see some of these excuses in the academic world that I deal in every day, but it comes down to a business decision by management on what's most important. Is keeping things at status quo and risking a breach the most economical decision, or should they add some staff to help prevent the breach, which is bound to cost more than the additional staff? For me, that's a no-brainer, but I think some managers will take the risk because they see companies like TJX and Heartland still in business and no concrete numbers on how much a breach really costs.

Management is certainly the group responsible for making sure staffing is adequate to meet the needs of an organization, but it's not just their fault when things fail and breaches happen. IT staff needs to step up to make sure that management knows there is a shortfall in human resources to manage the IT resources. If you're pulling 70-hour weeks to get everything done, management may think things are fine because everything is getting done. Speak up and let them know. If they don't listen, it might be time to start looking for a new job.

I'd be remiss if I didn't also state that there is also a technical and professional responsibility for IT staff, especially infosec staff, to keep abreast of advisories and exploits that could affect their systems. The guys and girls out there looking to hack your systems do as Robert mentions in his blog.

Take the time to monitor sites like Milw0rm and PacketStorm using your RSS reader -- you might just get a leg up on the attacker, save the day. and get the girl...OK, maybe not all of that, but at least you'll be better at your job because you have a better idea of what's out there.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.