This is fairly common on file servers, and internal applications such as CRM software.  All to often the domain groups Everyone or Authenticated Users will be used to grant access to network resources that only a subset of users need access to.  Often this is done because “eventually more people will need access to the network resource, so well just open it to everyone now”.  But even if others need access to the network resource later this isn’t a very good reason for granting everyone access to the resource.

The group that requested the resource may assume that the resource is not open to everyone (how would they know otherwise) and put data in that folder or application which others within the company shouldn’t have access to.  Now all of a sudden you’ve got a security breach just waiting to happen.  The employees that aren’t supose to have access find out that they have access to it, and start looking around and there’s all this data that they shouldn’t be able to see.  It could be company financials, it could be HR data, it could be the executives vacation photos, or the crown jewel of data your customers personally identifiable information.

Assume that it’s customer data, that hasn’t been masked for one reason or another, and a less than scrupulous employee comes across the data.  Being the less than scrupulous employee that they are they take the data and find a buyer for it, and not all of a sudden your customers all have identity theft issues.  All because someone didn’t set the rights to some network resource correctly.  Talk about something that should have been easy to avoid but is going to cause a lot of pain.

Considering that anywhere from 34% to 70% of data theft is by employees (depending on what report you read) security by obscurity just seams like it isn’t the way to go.

Denny

When you leave your workstation unlocked you are giving anyone that walks by access to everything on your computer.  Your email, access to the company intranet, etc.  Anything that you have access to without entering a username and password (or that has a saved username and password) they have access to.

Have iTunes installed on your work computer with a credit card saved in it so you can grab the new song that just came out?  So do they.  They could download 10,000 songs on your account and you wouldn’t know it until the next time you opened iTunes or checked your credit card statement.  (I’m assuming that iTunes will save your credit card, I don’t actually use it but you get the idea.)

Have usernames and passwords saved in your browser so you can easily log into various websites like your bank, credit cards, forums, etc?  So does anyone who sits at your computer.

You are probably sitting there thinking to your self, if some strange person was sitting at my desk, someone would notice.  They might, but probably not.  Lots of times I’ve had strange people sitting in my chair waiting for me with no one around to question them.

If you have an office, you aren’t exempt.  Yes I know that you lock your office door at night.  Look around your office, do you have a trash can sitting in there somewhere?  Do you use it?  Is it empty in the morning?  The magic trash can fairy doesn’t clean out your trash.  Someone who makes way to little money to clean up after the slobs in the office (sorry I’m projecting a little here, or depending on your office maybe I’m not) comes in and cleans it out and dusts your desk off.  You know how they get in, either they have a key or the guards open the doors for them.

I know that one company I worked at everyone who had an office would be gone by 7pm.  At about 9pm the security guards would come around and unlock every single office from the lowest manager to the highest C level exec.  I know this because I worked swing there as a Database Engineer for several years (pretty much every department except for Marketing was staffed 24×7 365 days a year).  After the guards would open the offices the cleaning crew would come through and clean all the offices, empty the trash, etc.  Some offices had a window to the inside of the building, some didn’t.  Most had blinds that could be closed for privacy.  Lost of people had only a laptop, many were left at the office on weeknights, and many people had a desktop.  I would say that 80% of offices had a computer in them at night.

How hard would it be for an outside person to pay someone from the cleaning crew $5000 to get them to copy some data to a USB drive, or infect the network with a virus?  That’s probably more than most people on the cleaning crew make in a month for just a few minutes of work.  To most people, especially in this economy this would probably be to much money to pass up.

If a competitor (or an employee for that matter) wanted access to data that was private, and we didn’t have a policy in place to automatically lock the computers, it would have been a piece of cake for someone to sit at a desk and download all sorts of confidential data from the persons computer.  All without anyone knowing about it.

Fortunately at this company we had a policy which required the computers to lock them selves, but many smaller companies don’t enable this feature for one reason or another.

If your computer isn’t locked when you get to work in the morning I urge you to talk to your IT staff and have them enable auto-locking on the company computers.  It’s a slight annoyance to have to unlock your computer in the morning, but it’s much better than having someone walk in and simply take all your personal and corporate data.

Denny

The most common way for people to remember there passwords is to write them down.  The most common place to store these passwords that have been written down is under the keyboard.  I’ll bet if you walked around the company you work for at night (especially in a non-technical part of the company) and start flipping keyboards over you’ll find a bunch of peoples passwords.

While some of these people may not have access to information which is all that important, I’ll bet a few people that you’ll run across have access to some interesting stuff.  (For the love of god don’t start using there passwords, that’s just asking to get fired.)

Some middle ground needs to be found between passwords which a 3 year old can guess such as “password” and 30 character passwords that have to be reset every day because the person can’t remember there password.

The easiest way to create a secure, yet easy to remember password is to use a passphrase instead of a password.  There’s a couple of different ways to do this.

1. Use an entire phrase just without the spaces.  Make sure to use caps where needed, and stick a number or two in there so that it meets the requirements.  This will give you a nice long password that is hopefully easy to remember.  Something like “ThisIsMyR3allyL0ngPassword-No1CanFigureItOut” is perfect.  It’s very long, has numbers, upper and lower case letters, and a symbol.  And when your auditor comes by asking how long your password is, you can tell him 44 characters.
2. The second technique is to take a song lyric or line from a poem and use the first letter of each word.  Now be sure not to actually say the phrase out loud since it won’t take long for someone to figure out what you are using for your password.  After you have your phrase stick a couple of numbers in there and make some letters upper and lower case and you are done.  As an example if I were to use the title of this article as a password it could be “Itap-1nuyk”.  It’s still easy for me to remember for no one else will remember it.

When using these sorts of long secure passwords you protect not only your company but yourself.  Everything you do at work is traceable by the company, which means that anything that someone else does when logged into the company network as you can be tracked as well.  While this is good, it means that because your username and password were used to access the network it is assumed that everything which was done was done by you, and you’ll be the one getting in trouble for what ever the other person did.

Protect yourself, protect your company.  Use a long password, but don’t write it down.

Denny