|
Change mentalities
Beware old school administrators.
I was talking with the network
technician of a Canado-American enterprise that works in the field of technical
didactic materiel like didactic aeration systems, radar system, etc. This is a
small size enterprise of approximately 215 employees and exists for more than
45 years. I was stupefied when I learned that
every employees of the enterprise shared the same email password. There was
only one password know by some key peoples like administrators and network
technicians. The password is saved by the email client software for future
email retrieval. If you have some problems with your email client and need the
password to get your emails, you only need to ask a technician to come at your
workstation and let him enter the global email password.
After this astonishing exposé, I was
asking to myself, “Why”? Why are they using a single password to retrieve
emails of every employee, from the secretary to the chef of software
development? I was not able to answer to this question; it’s why I asked it to
the tech. His answer was unbelievable: “I know Fred, its crazy, but the answer
is simple: it’s because the administrators says that it always worked in this
way and it will always work like this the time they will be here”.
This situation
can lead to two important threats: privacy of employees and crucial information
gathering by insiders. First you need to have in mind that in both cases, an
insider can easily get the password by crashing is email client software,
installing a key logger on the computer and calling the tech to let him enter
the password. You can also simply look the tech entering the password by
watching the keyboard while he is typing it.
When the insider
has the password, he can now retrieve the emails of any employees of the
enterprise. There is the threat to the privacy. He can easily retrieve the
emails of the beautiful blond secretary and learn more on her to know how to
woo her. He can also send
emails with the email address of any employee, boss included. There is the
threat on the critical information gathering. Think about it, the insider is
working as an industrial spy for a concurrent enterprise. He needs to have the
latest and most crucial fiscal information of the enterprise. He just has to
log on the mail server as the president of the enterprise (who have same
password as him) and send an email to the chief of fiscal division and ask him this
information. After, he just has to wait and check emails on this account (of the
president) every minute to retrieve the requested information.
The source of
risks is clearly the administration’s old habit and refusal to change. Nevertheless,
how can we change the mentalities of administrators? You need to have in mind
that they are not IT security gurus and can have lack of security concern by
interest or simply by the lack of knowledge in the domain. The best way is
probably by educate them to the problem, show them to which threats the
situation can lead.
© Copyright 2005 FredOnSomething.
|
|
 |
 |
 |
 |
| June 2005 |
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| |
|
|
1 |
2 |
3 |
4 |
| 5 |
6 |
7 |
8 |
9 |
10 |
11 |
| 12 |
13 |
14 |
15 |
16 |
17 |
18 |
| 19 |
20 |
21 |
22 |
23 |
24 |
25 |
| 26 |
27 |
28 |
29 |
30 |
|
|
| May Jul |
|
 |
 |
 |
 |
|
