Six Horrible Security Mistakes

Published on Oct 16th, 2010 by

Six Horrible Security Mistakes

Horrible security mistakes that could have been avoided by better management, practically as well as culturally.

I’ve collected a few real life examples for you that show how vulnerable companies are to confidentiality risks if no proper attention is payed to it.

Try googling for confidentiality disclaimers like “this document is confidential”, all these people fucked up really bad. Yes, those are all public files that are supposed to be confidential, that link runs a google search query for documents with a confidentiality disclaimer in it and found them just like that. Just add your company name to the end of the search query if you’re curious, who knows what you might find.

It’s all about awareness.

Read on for some quotes by other professionals, everyone ’s anonymous so I won’t compromise them. I hope you recognise yourself.

Watch those account credentials: “I once found the full credentials of the exchange account of someone in my management on a scrap of paper. Logged in once to see if it worked, it did. Afterwards I did nothing with it. You want it?” — Anonymous Sales Representative

Patent submissions are not to be printed on public printers: “I found a full patent submission from a research department on a public (!) printer … twice, at different companies. I guess my integrity kept me from being filthy rich by now.” — Anonymous Freelance Developer

Keep contracts safely locked away: “At one of my clients, while I was doing consultancy work I found my own contract just laying on a public desk for anyone to see, it even had appendixes I was not even aware of myself. Very interesting to say the least.” — Anonymous Outsourced Project Manager

Clean up after those fancy board meetings: “Found a full year report in a meeting room once, the earnings release of the company was only due in a month.” — Anonymous Solution Architect

Shared accounts for lazy managers: “There was a situation where my team and I could use a temporary shared account for access on a companies intranet. It soon became clear that the account was coupled to a personal exchange account of a VP and we had full access to all his private network drives. The things we had access to where absolutely unbelievably secret, certainly for the type of company where this happened. Just so you know, we reported this immediately (only after briefly considering selling to the highest bidder).” — Anonymous Project Manager

Keep your offices tidy and educate people in the tools they use.

There’s a certain ethical element here. The way people react in these kind of situations can be influenced by the company culture. So tell your team members what to do if they find out about something that shouldn’t be public and make people conscious about the risks.

Post a Comment

Posting your comment...

Subscribe to these comment via email

Social Widgets powered by