By now, I'm sure everyone with a Sun system has heard about the widely disseminated vulnerability in Solaris 10's telnetd code. My experiences in managing that issue from early announcement to patch might serve as a warning/aide to others who are looking at security models.

Several lessons were learned as a result of the experience. Some were things that worked well, some were things that I feel would hopefully be improved.

• In the event of a zero day disclosure, the vendor is likely to be among the last to admit to the issue. Sun did not issue an alert until they had something more than "shut down telnetd" Alternative means of learning of security vulnerabilities are a must.

Operations groups I suspect are going to have real problems soon, and not from the usual causes of automation. It is very common for operations groups to not only monitor the servers, but take on trivial tasks that need to be done out of hours, sometimes even during the business day in an effort to alleve the workload on the system administrator.

Here's the problem. Many more systems now store data that may be SOX impacting or some similar law that strictly regulates access. The system administrators themselves have a strong need to access the box, and usually are a fairly concrete and small team, but operations groups are much larger, maybe even offshored. I suspect that the access implications have not been fully thought out of giving these groups the access to do some of these root tasks.

So I've been working on an internal security review and discovering that the bulk of the issues I run into stem from the fact that the users don't seem to understand the need for an audit trail.

To me, security consists of confidentiality, authenticity, and the auditability. It's easy to explain the need for the first two, or at least, people don't need me to explain why they are a part of security. I get the normal "But we have a firewall, why do we need security?", but that's minor. But when it comes to issues that center around preserving an audit trail, I get blank stares and a complete lack of understanding as if they just don't understand at all what I'm talking about or why a security review would be remotely concerned with maintaining a record of who did what on a system.