>I thought this post was both a frightening and yet strangely entertaining thought. It has such a ‘hollywood’ feel to it — perhaps this is why it’s so dangerous.
You’d think that this is an unsustainable business; I mean, don’t admins change their passwords at least from time to time? Don’t vulnerabilities get fixed, making it impossible to find the password in the long run?
Yeah, right. Site admins are probably as conscientious as they can be given their time and budget constraints. Also, it’s increasingly common for organizations to have ‘site admins’ that have more of an editing / web design background than a sysadmin / web dev / infosec background — an unfortunate consequence of increased outsourcing of web development and increased usability of CMS systems.
Nowadays, it’s the opposite effect: with easy-to-use tools such as Drupal, Joomla, DotNetNuke, or Sharepoint, you don’t need nearly as much hard skills in order to administer and maintain a website. I’d go as far as to say that to recruit an admin with a strong technical background would only lead to the person’s frustration and eventual resignation. However, it does mean that this new generation of site administrators is less likely to exercise proper caution — reading access logs, using secure passwords, performing routine security tests and code reviews, and following security feeds in order to reduce the chances of your site getting pwned.
Okay wise-ass, I can hear you say, thanks for stating the problem — now what’s the solution?
Sadly, there is no easy solution for this. Ideally, in a small to medium organization, you want the web team to have at least one person managing the content, layout and editing of your website — let’s face it, we techies are generally allergic to such things (anyone that’s worked with me knows not to mention colors in my presence – I get hives). That person is the main ‘business’ liaison and project champion — let’s call him/her the ‘web editor’. Then, on the technical side, you’d have one web development liaison, and one sysadmin liaison. You don’t want the person that’s writing the code to review the code, or checking the logs — each person has a set of responsibilities that compliments the others. Nobody’s stuck with a laundry list of responsibilities, routine checks are more likely to be performed and, provided that there’s adequate communication between parties, one generally avoids getting listed on such sites as mentioned above.