I have always had a keen interest in security, in the 5 plus years that I have been working full time as an IT Professional I have never found this to be a forte in any of the organizations I worked for.
Granted, running a “FULL BLOWN” security policy generally affects productivity and causes more problems than benefits. But can we please stop behaving like our data is not important and simply password protecting it will do the trick.
About 2 years ago I worked for a BIG company that resides here in town. I was an IT Consultant on a part time bases, subcontracted under RANDSTAD and was only supposed to work there for 3 to 4 months or until my project was completed.
I was deploying a brand new GIS Application they had developed, I was in charge of “touching” every machine that was going to have this app installed and make sure that it ran smoothly. I had not need for FULL SYSTEM ACCESS nor the desire to have it. The first day I walked into the company I was handed the keys to the palace, “The System Administrator Credentials”. I am not talking about local machine administrator or a simple sysadmin for a select few clients. This was the “MOTHERLOAD” of all access privileges. Ranging from simple network access to FULL data query / modify access. I had access to the internal systems and the CRM software they ran.
Needless to say I never bothered to venture into any of this because I was hired as an application consultant and that is what I was to do. But at the same time I was appalled that they had handed given me such permissions without even running a simple background check. Had I been someone else I could have inflected severe damage to their system and data, I could have sold customer records and done a million other things.
When I was in college I took several security classes with Dr. Layne Wallace and one of the many things he always stressed was “DO NOT GIVE FULL ACCESS TO CONTRACTORS” you never know what someone can or will do. If you must give full access for a particular reason make sure said person has been scrutinized back and forth in regards to their integrity and work ethic and background.
The building where this company resides is a “secure” location meaning that in order to get in / out of it you need a special credential (an access card). I cannot tell you the number of times I got into the building by simply tailgating someone (a common Social Engineering Tactic). No one bothered to ask me for ID or to even look at twice. I would go up to the main server room without being noticed and when I was noticed most of the time people would simply great me.
I do not know if this company has ever had a security breach or if they are just lucky. All that I know is that if someone has a grudge against them they could do a lot of damage. Most of their flaws are very easy to fix with appropriate training all of the above things could be managed. But no one seems to notice or care, I guess we will have to wait until something happens.