I read an article this week which was quite worrying. It centred around some research done by SailPoint and it asked the question: Would you sell your company password?
Apparently, one in five said yes! And for less than $1000!
Now, we always say to people, if you have a password for the domain, whether you acquired it via nefarious methods or are an employee, then you have the keys to the castle. If the user isn’t an administrator then admittedly, the castle can seem more like a bungalow. However, even from a limited user account, many attacks are still possible. Just think about what your users have access to; company accounts, customer information, partner information, suppliers, contact details.
If this fell into the publics hands or your competitors what would that mean for your company’s image and bottom line?
Would your share price fall?
Would you competitors approach your clients?
Would they approach your suppliers for exclusivity?
You get the idea…
Obviously securing user accounts to the point where they have to ask permission to open every single document just in case they are malicious or someone has their credentials is not the brightest idea, every business has a certain amount of assumed risk and providing access to files they need to do their jobs is one of those risks.
But, implementing tighter security controls which have a limited impact on productivity is a no-brainer these days. Implementing a password policy which forces the password to expire every 30 days is not going to harm productivity, it’s going to use up all of 30 seconds in someone’s work day.
Using software which controls the use of external media (USB Drives) can stop company data being removed (in bulk anyway!).
I would expect a company of reasonable size to have decent protection for their network from outside attackers; Email security, Next Generation Firewall, Web Secure Proxy. However, most neglect the internal attackers. In most penetration tests, this is what we aim for first. In most cases its futile trying to attack from the outside and why try and find vulnerabilities for outside facing processes when you can walk into the building and plug a computer in?
Most IT administrators will swear blind the company is secure from insider threats, but they are looking at it through tinted glasses and not through the eyes of an attacker who will collate every and any bit of information to build up a picture of the environment and attack it. This is why it’s always good to get quarterly/bi-yearly Penetration Tests.
Article link: http://www.securityweek.com/one-five-employees-would-sell-work-passwords-survey