Sep 13 2012
That’s right, for all my years in IT yesterday I was the victim of a vicious and deeply distressing incident. OK, a colleague changed my wallpaper while I was away from my laptop, so not a big deal – but it could have been. The act of locking ones desktop when you leave the keyboard is a simple one (the shortcut is WindowsKey + L) and I appear to have lost the habit due to working from home recently. At the time of the incident I did have a Gmail account open that I use to arrange speakers for my PASS chapter, if this had been an account that I used to order goods I may have had my passwords and corresponding email address changed without me knowing thereby causing me financial loss.
In my current role client data is not a problem as I do not have any confidential data on my laptop. However, if I were still a production DBA with access to numerous servers and left my laptop unlocked it could be a completely different story. A user could create themselves a new account, databases/objects could have been deleted and all of this could be traced back to me – you’re all using auditing right? Of course you are, you’re not? OK, maybe that’s another post for another time then…
Social hacking is the easiest way to get into a system and when I go onto client sites I am amazed at how easy it could be to gain information that would allow me access to a system from servers not having secure passwords to phone lists being left on desks. While this may not seem like a risk think about what this represents to someone who is unscrupulous. A phone list is a piece of paper that gives me the names of people in an organisation and a way to contact them. Most lists will probably also provide a job description further shortening my list of prospected targets. Armed with this knowledge I could call each and every one of them posing to be a member of IT and asking them if I can test how something works on their machine by using their username and password. Your average employee is hardly likely to question someone from IT and will probably attain the information they are after with minimal effort.
It’s highly unlikely that you will be able to guard against this kind of attack, think about the people that work in your organisation outside of your immediate department. In fact as an exercise I urge you to try this and see how you get on, forewarn your line manager that it’s a security check that you wish to try and let me know in the comments how you get on.
As an IT professional, there is only so much you can control and suggest as best practices when it comes to security. What you can do is ensure that in all of the systems that you have control over that users do not have elevated permissions.