Okay so this post is several months late - what can I say, I'm easily distracted and overly busy. Hopefully if you are reading this post you've already read the post on hacker personas. Having been on the PSS Security team for over three years now I've noticed patterns not only in the types of miscreants hacking our customers, but in the types of customers getting hacked by the miscreants as well. As they say over at 'The Onion' - Stereotypes are a real time saver; so without further adieu I give you 'Admin Personas' . . .
The 'Default' AdministratorDefault man, default man - doin' the things the defaults can! That's right - this persona represents probably (sadly) the majority of Windows administrators (60%?).
Sadly these admins have most likely already been hacked . . . repeatedly . . . for many months if not years and they've never noticed the intrusion (due to inexperience with the operating system). The default administrator usually only notices the signs of an intrusion after the latest miscreant has gone too far and caused damage to the system (like unexplained reboots, sluggish performance or the hackers hardening efforts (to prevent 're-hackers' or 'leech hackers' go too far and they end up breaking the applications or the server in some fashion). I say the 'latest miscreant' because these kinds of boxes are usually hacked by group A, and then re-hacked or leech-hacked by group B and then possibly re-hacked or leech-hacked by group C who has a bit more clue and not wanting 'their' server to be stolen by other leech hackers resort to hardening the box to prevent re-hacking. Unfortunately it's usually the 'hardening' of the box during this hacker tug of war that causes breakage and tips off the default administrator that something is not right with the system.
If the default administrator has noticed any 'strange' behavior - they've chalked it up to 'Windows' because everyone knows how unstable that OS is right?
These are the cases my team really hate to work because we have the unfortunate job of pointing to evidence of multiple intrusions occurring over months or years and then having to explain how it all happened (a result of all of the above things being totally wrong) and how to recover. It's an extremely unpleasant and rude awakening for these administrators to the world of security (much like what it must have been like to take the red pill). This situation, will fortunately be slowly phased out over time as more and more users migrate to XP SP2 and WS2003 SP1 and the OS defaults are secure to protect the innocent.
The Skilled AdministratorPossibly 35% of all Windows administrators are what I would consider 'skilled' . . . below are some of the properties of a 'skilled' administrator. The skilled administrator is more cautious than the 'default' administrator - because he's been to SHK University (School of Hard Knocks) and learned some valuable lessons before dropping out.
The 'Sophisticated' Administrator . . .
These guys (perhaps 5% of all Windows admins?) not only went to the School of Hard Knocks but they graduated Summa Cum Laude! Not only that but their present job requires the highest degree of security - if they get hacked, they get fired so he's got a real interest in keeping things tight. In addition - his CxO's all fully support security as one of the businesses highest priorities (due to an increasing threat of legal liability over improperly secured systems and due diligence laws) and the sophisticated administrator is free to make security policy changes AND have them enforced (security flows from the top down). Believe me, you WANT them on that wall!
These are the basic kinds of administrators we talk to each and every day. These are of course generalizations but they seem to work so very well . . . which category do you belong to?