This is fairly common on file servers, and internal applications such as CRM software.  All to often the domain groups Everyone or Authenticated Users will be used to grant access to network resources that only a subset of users need access to.  Often this is done because “eventually more people will need access to the network resource, so well just open it to everyone now”.  But even if others need access to the network resource later this isn’t a very good reason for granting everyone access to the resource.

The group that requested the resource may assume that the resource is not open to everyone (how would they know otherwise) and put data in that folder or application which others within the company shouldn’t have access to.  Now all of a sudden you’ve got a security breach just waiting to happen.  The employees that aren’t supose to have access find out that they have access to it, and start looking around and there’s all this data that they shouldn’t be able to see.  It could be company financials, it could be HR data, it could be the executives vacation photos, or the crown jewel of data your customers personally identifiable information.

Assume that it’s customer data, that hasn’t been masked for one reason or another, and a less than scrupulous employee comes across the data.  Being the less than scrupulous employee that they are they take the data and find a buyer for it, and not all of a sudden your customers all have identity theft issues.  All because someone didn’t set the rights to some network resource correctly.  Talk about something that should have been easy to avoid but is going to cause a lot of pain.

Considering that anywhere from 34% to 70% of data theft is by employees (depending on what report you read) security by obscurity just seams like it isn’t the way to go.

Denny