Horrifying IT\business practice

[Exterous]

We were asked to help an organization with their VPN issues as the available bandwidth was too limited for people to really be able to work remotely. While going over things we found out that their work around (for the past 9 months) was to buy a bunch of portable hard drives and hand them out - none of which were secured. (Or backed up ever which is its own issue) So they had a bunch of HR\Finance\etc people running around with bank account numbers, several thousand SS numbers, HR files, etc completely outside any sort of access control. They were worried about losing one so they were setting up a Sharepoint site and put a bunch of those same files on it but didn't devote resources to the project. When they encountered a problem they just turned on anonymous access to resolve it....

So the update today is that they aren't going ahead with improving the VPN program. We passed along other recommendations like SECURE THE GODDAMN INFORMATION and they said they would 'look into it'

I talked to one employee and she said she asked about securing SS numbers on her drive and was told by IT "Well, you'd have to enter a password every time you want to open the folder and I think that would be pretty annoying so I wouldn't recommend it". I've never seen a group of IT and Managers so cavalier about securing this sort of information. The lack of concern over other people's personal information was horrifying.

 

[Kaido]

Run a DLP like Spiron on their network & then show them this:

http://www.zdnet.com/article/unsecured-servers-at-new-york-airport-left-exposed-for-a-year/

It seems like every other month there's a news story of a Federal laptop getting stolen & unencrypted data being released into the wild. Companies are nuts. People are crazy. Unfortunately there's no like rock-solid standards for stuff like PII or PHI & not only are those things rarely enforced, but are also rarely (truly) audited, so it's no wonder so many companies get hacked. Just look at IoT security...some university's vending machines got used against them recently, haha:

http://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-against-itself/

 

[PottedMeat]

theres no real penalty for losing someone elses info is there?

<loses customer CC/SS ID info>
"Give'em 6 months credit monitoring and we're in the clear"
<managers all high five>

 

[Kaido]

The lack of concern over other people's personal information was horrifying.

Also ime, people only care in one of two situations:

1. They personally care about doing a good job.

2. They are paid to care (i.e. it's their job & they get audited, so they have to).

Many companies don't take security seriously & don't pay anyone to take it seriously, and don't have anyone who cares enough otherwise to take it seriously. OP's situation is more the norm than most people realize.

 

[ponyo]

Also ime, people only care in one of two situations:

1. They personally care about doing a good job.

2. They are paid to care (i.e. it's their job & they get audited, so they have to).

Many companies don't take security seriously & don't pay anyone to take it seriously, and don't have anyone who cares enough otherwise to take it seriously. OP's situation is more the norm than most people realize.

Sounds like lucrative small business opportunity to me.

 

[Kaido]

theres no real penalty for losing someone elses info is there?

<loses customer CC/SS ID info>
"Give'em 6 months credit monitoring and we're in the clear"
<managers all high five>

Yes & no. There's insurance to cover data theft now. Most customers don't really care, based on their reactions. I mean, look at the world post-Snowden...most people haven't even changed their passwords, let alone turned on 2FA. Or opt not to use their real personal information for security questions...

 

[Ichinisan]

It's called "clusterf*ck computing."

 

[Exterous]

Many companies don't take security seriously & don't pay anyone to take it seriously, and don't have anyone who cares enough otherwise to take it seriously. OP's situation is more the norm than most people realize.

theres no real penalty for losing someone elses info is there?

I've seen places that don't really care that much but this is the first place I've seen where they don't even pretend to care.

 

[Kaido]

Sounds like lucrative small business opportunity to me.

You would think so, but convincing companies that they need security can be...difficult. I left one job partially because they refused to purchase antivirus for their computers (which later came back to bite them & took down their entire network for days). Remember the movie Sneakers, where they infiltrate banks & stuff? Yeah. Some companies take it seriously. And of course, no company is truly safe...just look at Apple's iCloud photo leaks from a year or two ago, and they're a huge company with a massive team of security engineers. The Mr. Robot show is scarily accurate sometimes.

 

[Zorba]

My last company used standard passwords for everyone, so any one could log into your computer. Nothing on the network was secured, so I was able to look at everyone's salary's, etc. Pretty sure the wireless used the default password as well.

Not to mention everyone had full admin rights to their computers. But we did have the free trail version of Norten.

Although it was also a 50 person company.

 

[Carson Dyle]

Tip of a very large iceberg. Not surprising.

Thing is... There are few repercussions to them if someone loses a drive and someone makes use of the information. Without an expensive investigation, nobody compromised knows where the data came from. And, in reality, if someone does lose a drive, the chances of anyone using that information are fairly small.

So, you can say that this company that doesn't give a shit about security really _needs_ that security. But for their own protection? Not really.

 

[Kaido]

I've seen places that don't really care that much but this is the first place I've seen where they don't even pretend to care.

Barring individuals within the organization who personally care, it's all management-based. If management doesn't take it seriously & assign people to handle it, then the company culture won't follow suit because being lax is easy when you're not required to do anything. It's awful, especially when you think about (1) where all of your personal information is stored (banking, Facebook, online stores, medical places like doctors & dentists, etc.), and (2) how much of your browsing history is stored online through collaborative trackers that don't require cookies & share advertising information with other sites & vendors. The NSA & CIA tools work great because all of your information is already out there, just waiting for perusal. Scary stuff.

 

[Kaido]

My last company used standard passwords for everyone, so any one could log into your computer. Nothing on the network was secured, so I was able to look at everyone's salary's, etc. Pretty sure the wireless used the default password as well.

Not to mention everyone had full admin rights to their computers. But we did have the free trail version of Norten.

Although it was also a 50 person company.

The number of companies that I've had to put on Windows Defender or Microsoft Security Essentials (assuming their computers are modern enough to run those) is ridiculous. I don't specifically handle onsite security, mostly just the hardware stuff, partly because so many companies make really poor choices about their internal security profile. At the very least, throw PFsense on your WAN, a free antivirus on your computers, and setup automatic Windows updates to restart your computers on a weekly basis. It's better than nothing, I guess.

I recently did an emergency job for a small biz that got a version Cryptolocker on their server (not even the latest variant...sad). It was like a domino effect...they had gotten rid of their offsite backups because it was too much hassle to remember to take a hard drive home, so all of the backups were stored on a secondary internal drive. They had forgotten to renew the antivirus, so it was running naked (even the firewall was turned off, awesome). I don't know exactly what the attack vector was because the Cryptolocker installer ate itself after launching to run, but I suspect someone was surfing the Internet in incognito mode in the server "closet" to hide what they were doing. Oh, and no browsing tracker either, so no easily-accessible historical logs to check that either. Oh well. It paid for my shiny new meat grinder though, so there's that

 

[louis redfoot]

couldn't be much more dangerous than a briefcase with a cheap lock

 

[Carson Dyle]

couldn't be much more dangerous than a briefcase with a cheap lock

Whoa. Do you mean to tell us that there was an age when workers actually carried sensitive documents around with them?

Holy shit.

 

[Nashemon]

theres no real penalty for losing someone elses info is there?

<loses customer CC/SS ID info>
"Give'em 6 months credit monitoring and we're in the clear"
<managers all high five>

Buffalo State College had a vendor who ended up having a laptop stolen that had every student's personal information on it. They sent us a letter offing us free identity protection for 3 years. Great I thought, until I read the fine print at the bottom that said the offer wasn't valid in New York State.

 

[Exterous]

couldn't be much more dangerous than a briefcase with a cheap lock

Given the size of the data stored on the drives and that there were multiple years worth of information I think it would be closer to carrying your entire office file cabinet with you every day

 

[Exterous]

So, you can say that this company that doesn't give a shit about security really _needs_ that security. But for their own protection? Not really.

I would think that easily accessible HR files might leave the organization vulnerable to some sort of damage\liability. We're talking personnel files including any grievances\punishments\dirty laundry thats likely to exist in decently sized organization

 

[dave_the_nerd]

I think you need to name names. If anybody here is doing business with that company, they need to know about this and stop immediately.

 

[ThePresence]

Wow.
I'm in Healthcare, so we have all kinds of HIPAA regulations and regular training for all employees.
Someone can easily lose their job for taking private info outside the company.
Sheesh.

 

[chitwood]

I had an interview for a company a long time ago, after the interview he gives me a tour of the warehouse and their IT facilities and their server room.

That was hilarious. I see CAT5 cable draped over hand rails and down staircases. I saw one cable drooping across the middle of the middle of the warehouse like a big 50 ft smile. The "server room" was ONE server blade sitting on the floor connected to a switch and a UPS on a card table in the middle of the room.

I did not take that job.

 

[OutHouse]

funny, we just had our infosec meeting and a similar issue was discussed. if this company in the OP is in Washington state they would be in violation of state law (Washington state law RCW 19.255.010) and would have to be investigated and the company would have to offer free fraud identity theft services.

pretty sure securing their shit would be a whole lot less expensive.

 

[lxskllr]

My last company used standard passwords for everyone, so any one could log into your computer. Nothing on the network was secured, so I was able to look at everyone's salary's, etc. Pretty sure the wireless used the default password as well.

Not to mention everyone had full admin rights to their computers. But we did have the free trail version of Norten.

Although it was also a 50 person company.

I know everyone's password, but no one knows mine cause I set it up independently :^D

and you should hear the crying when someone has to use a password I setup. I setup a mega account for sharing large files out of the office. The password is a lengthy sentence that reinforces good security practice. OMG, the tears :^D

 

[smackababy]

theres no real penalty for losing someone elses info is there?

<loses customer CC/SS ID info>
"Give'em 6 months credit monitoring and we're in the clear"
<managers all high five>

More like : lost customer CC/SS info, wait until it's exposed a year later, then give them 6 month monitoring.

 

[Zorba]

I know everyone's password, but no one knows mine cause I set it up independently :^D

and you should hear the crying when someone has to use a password I setup. I setup a mega account for sharing large files out of the office. The password is a lengthy sentence that reinforces good security practice. OMG, the tears :^D

Yeah, our passwords were first two letters of the first name, then 1234, seriously.