Information security is all about trust. Who do you trust? For the true security guru the answer is no one. You can trust no one and shouldn’t try to.
Person to person trust is the biggest threat to a company in and of itself. If it wasn’t there wouldn’t be a Data Loss Prevention (DLP) market, there would be no access management systems, there would be no need for encryption, passwords or tokens. Yet, inside the walls of the company hard security practices go to the side for personal trust of the employees.
It seems that once someone gets inside the company and receives a paycheck that they are one of you. If you are thinking that way then don’t be surprised when your data is gone either stolen or destroyed when that user gets disgruntled. It doesn’t have to be malicious activity either for a user to abuse their access. Except in the IT world, the business data is a little more valuable than a ream of printer paper or a box of pens someone takes from the supply cabinet.
In some places I have been in and seen the level of access given to a wide range of people without proper checks or justifications is astounding. It really is surprising that there are not more major data breaches, maybe there are just never detected and people’s information is being sold silently. Companies focus so much on protection from the big bad Internet and external Chinese or Russian attacks and as a result their internal security processes and measures are where the real holes are. But the management trusts the employees are doing the right thing, but are they? Can you trust every single person on your payroll? If not, why have you not tightened the security from the inside as you do externally.
One good example I use to put things into perspective came from a place I was in once. To get into the building you needed to go through a security background check, including bonding by the Department of Homeland Security, get your picture taken and put on a card, a hand scan, and fill out paperwork to all the floors and data center rooms I needed access to. Excellent physical safe guards.
When I hit the server room, where a thousand servers sat, there were no locked racks and the admins could access every system as root/Administrator. No checks, no restrictions, free reign. Millions of dollars in the building locks, not so much on the IT locks for the internal. A few thumb drives, a database export, and the entire customer base walks out the door to the highest bidder. All because they trusted the people that made it through the doors and trusted the non-employees that were escorted back there.
One last story about trust and a company that didn’t trust any of its employees. I had a contractor working for me a few years back. He was brought in and given the normal access, all checked and verified. About two months in he started doing odd things with the code, hooking our two environments together that didn’t share data or users, had odd authentication steps that made no sense. Things like that, we confronted him on it and removed it. Then one day I get a call from my manager asking me to get to the datacenter and escort this guy off the premises immediately. Turns out, this guy took a high powered WiFi Access Point and plugged it into the corporate, internal network. It was broadcasting a powerful signal that could be picked up a full city block away. That access point was attached to the bottom of his desk, way in the back. He exposed the entire network for reason unknown. Had the company not been paranoid about wifi access they never would have had the detection stations all over the building that could triangulate where the broadcast was coming from. Had we trusted the guy like other companies trust their workers, who knows what damage or data would have been stolen. Why would somebody do that?
Think about it next time you grant admin rights to someone, can I really trust this person?
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.