Just the other day the Canadian Military began investigating why a 30 GB hard drive was found in a computer hardware recycling depot, still containing its personnel’s personal information.
In the past I have been asked by a top lawyer to “just grant” his summer student the same access to network files as his access rights, since he didn’t have the “time” to figure out what is appropriate.
A manager of IT security I worked with was found not to have changed his network password for 15 months just prior to a PCI/DSS audit, even though the company policy was to change passwords every 45 days.
A secretary left their email password as the default one, “Welcome1”, thinking it would be easier to remember. Not understanding that since the company still used single factor authentication to access email on the internet, it left their email open to anyone who cared try the password.
All of the examples of security errors above deal with people being people… some didn’t have the time to worry about, some didn’t think or know of the possible consequences of their actions, and possibly someone didn’t care.
Any of the above situations can be remedied by a little common sense, providing training, enforcing policies and understanding best practices.
In the first case existing policies were not followed… was it willful? I doubt it. Most likely the hard drive ended up not being destroyed, because mandatory security training is often only given to “full time” employees… not contractors. The contracting company pays lip service to passing on the policies to its employees in an attempt to save money on the contract. Hence the person that sent the drive to be recycled probably thought they were doing the right thing by saving the environment.
The second situation would have been avoided, if a pre-approved role based access system was employed to ensure that students were given access to what they need (as attested by management) from the start. Pre-defined roles make on-boarding quicker and more secure… leaving the guess work out for the administrators, who have much more important things to do.
The third issue is solved by following best practices, making existing password policies mandatory and enforcing domain password policies without overrides. When someone higher up calls for the IT administrator to provide a policy over-ride, they need to be asking themselves, is it in the best interests of the company.
Finally “Welcome1” didn’t get changed because nobody turned on the switch to say “Force user to change password on next login” when it was reset. Even with the switch set IT security training would show the secretary that “Password1” their second choice, which does meets complexity requirements as well would be a bad idea and that a random pass phrase would be much more appropriate.
It all sounds simple, however… again we go back to people, time and desire to use the path of least resistance.
The good thing is that I have found in my 17 year career, most people will “do the right thing”, if they know what to do, and the consequences of not doing it.
IT Security Awareness training classes put on by Front Runner teach best practices and discuss the reasons we need to keep everyone involved. Contact us for details and how we can customize a course for you.
Taking the time to listen and understand what is being conveyed by your instructor can save your company and you personally the heart ache of being on the wrong side of a hack.
In future issues of Bug & Plugs, I will get deeper into the many subject areas of IT security and how they affect your company and possibly you personally.
Until next time…
Ilmar Kutt – Security Consultant
CISSP, MCSE, ITIL v3 and CISA candidate