Trainee - a find for a spy
Hi, Habr.
I am a student of the “information security of automated systems” profile and it so happened that I care about information security. I am well aware that in this area, in addition to knowledge of GOSTs, various documents, technical skills, English, self-confidence, and so on and so forth, I will also need work experience; since the beginning of majority, all possible options have been sought for this experience. It is also known that just in this way no one will provide security at their firm, and consulting required at least specialists for the whole day, it was decided to go to work at the company as an ordinary trainee. And there already develop, seek contacts, connections, interesting people and so on. In the end, experience is rarely superfluous.
In general, at the moment my some account practice in some of the company ends. All companies were Russian; probably this is an important clarification. Each company was engaged in the development of some software responsible for security. Having worked in each company, I am not able to stop the fire in my chest, which appeared, looking at the state of corporate security. You will be right if, after reading, you say that this is just youthful maximalism and I want to achieve the ideal, and in general, information security is very boring, it is more interesting to be a programmer, and so on. At once I will make a reservation that in all companies my duties included testing various products. At the interview, it was stipulated that for the beginning I only want an internship.
')
Now that we know, let's begin.
Next will be a list, as it seems to me, gross violations of corporate security standards. Perhaps due to the lack of experience in this field, my opinion would be wrong. Very attentive to any comments and criticism about this.
1) At each place of work I had free / almost free access to the Internet to all resources. The same opportunity to download and install any software. No employee monitoring systems were installed.
2) At each place of work there were no clear instructions for storing and creating a password. Until such a case:
I needed some document that was on the manager's computer. At that time, the manager was on vacation and I was advised to just call him in order to find out the password (everyone had the login name of n.surname type). Long remembering who I am, he still gave me his password. After that, none of the employees, including the deputy head, watched what I was doing on the computer. It was on Friday. On Monday, the manager went to work and did not change the compromised password. Interestingly, this password matched to mail (there was no two-factor authentication) and the account of the internal campus.
3) At each place of work you could use any recording device. And copy any files, exactly like sending by mail. Perhaps the really important files and documents that would be blocked, simply did not exist. But all that concerned those requirements, descriptions of bugs, features were quietly transferred by mail.
4) In some workplaces, records of discs, rutoken, removable drives, monitors, routers, and other hardware taken into use were not properly maintained. More precisely, despite the presence of a person who was supposed to record such moments, he simply provided a wardrobe and asked to write a letter. Moreover, after using something, the employee returned the item to the closet. So all that needs to be done is just to put your disk / flash drive in the closet when returning, signing in the same way like “product number n build No. m”. Antivirus, by the way, also did not stand anywhere.
5) CCTV and access control system. In one place about the camera did not hear, they say everyone trusts everyone. The camera was alone and at the entrance. In another place, the cameras were very much loved and shoved everywhere, absolutely not thinking about the fact that the person who followed all this had nothing to do with the company and could follow who was doing what. There were no protective films or inserts on the monitors. As for the throughput system, then there is already a human factor. Many times, just starting to work in companies with a staff of more than 100 people, I was held in the door, which was opened with a key card. I do not think that all these people knew me.
6) Server. At one of the places of work, the key was issued against the signature. Yes, yes, the usual key. Just under the painting. Yes, even to me, trainee. Well, then cast like, right? In that server room, by the way, there were no cameras. The server in another office just opened for a whole day for everyone. And no, there were no cameras either in the corridor or in the server room itself.
7) The password for internal system folders, “god mode” in the software being developed and some other things was one.
8) Negotiations were open, before the interviews were not checked in any way (and the interviews were almost everywhere frequent), there was clearly no sound insulation.
9) Also, in one of the companies, information about lawsuits was absolutely accidentally found.
10) There was an incident when a financial report was mailed to all employees.
11) When moving, one of the companies lost a box with universal personal identifiers, which potentially gave access to any piece of hardware developed at that time.
Of course, there is the principle of Ib, which says that you do not need a hundred-meter wall and barbed wire to protect information about the birthdays of employees. And all methods and solutions should be economically viable. But, I repeat, all companies have been developing software, which should provide this very security.
At the end of each internship, I was looking for a way to talk to the person who deals with information security in this company. In no case, in order to show him wrong, just talk and ask questions. In most cases, managers fended off and said that the data of their company is still no one needs. After a couple of years, audits have become lazy. And all that they do here is ... no one gave an exact answer to this question. Perhaps, then, they are safeguards, to keep such secrets. Perhaps Russian companies just need to steal their information. And it is in our mentality to insure a house only after it burns down.
In any case, I hope that there are Russian companies who care about the safety of their data.
Thanks for attention. It will be very interesting to read your thoughts.
I am a student of the “information security of automated systems” profile and it so happened that I care about information security. I am well aware that in this area, in addition to knowledge of GOSTs, various documents, technical skills, English, self-confidence, and so on and so forth, I will also need work experience; since the beginning of majority, all possible options have been sought for this experience. It is also known that just in this way no one will provide security at their firm, and consulting required at least specialists for the whole day, it was decided to go to work at the company as an ordinary trainee. And there already develop, seek contacts, connections, interesting people and so on. In the end, experience is rarely superfluous.
In general, at the moment my some account practice in some of the company ends. All companies were Russian; probably this is an important clarification. Each company was engaged in the development of some software responsible for security. Having worked in each company, I am not able to stop the fire in my chest, which appeared, looking at the state of corporate security. You will be right if, after reading, you say that this is just youthful maximalism and I want to achieve the ideal, and in general, information security is very boring, it is more interesting to be a programmer, and so on. At once I will make a reservation that in all companies my duties included testing various products. At the interview, it was stipulated that for the beginning I only want an internship.
')
Now that we know, let's begin.
Next will be a list, as it seems to me, gross violations of corporate security standards. Perhaps due to the lack of experience in this field, my opinion would be wrong. Very attentive to any comments and criticism about this.
1) At each place of work I had free / almost free access to the Internet to all resources. The same opportunity to download and install any software. No employee monitoring systems were installed.
2) At each place of work there were no clear instructions for storing and creating a password. Until such a case:
I needed some document that was on the manager's computer. At that time, the manager was on vacation and I was advised to just call him in order to find out the password (everyone had the login name of n.surname type). Long remembering who I am, he still gave me his password. After that, none of the employees, including the deputy head, watched what I was doing on the computer. It was on Friday. On Monday, the manager went to work and did not change the compromised password. Interestingly, this password matched to mail (there was no two-factor authentication) and the account of the internal campus.
3) At each place of work you could use any recording device. And copy any files, exactly like sending by mail. Perhaps the really important files and documents that would be blocked, simply did not exist. But all that concerned those requirements, descriptions of bugs, features were quietly transferred by mail.
4) In some workplaces, records of discs, rutoken, removable drives, monitors, routers, and other hardware taken into use were not properly maintained. More precisely, despite the presence of a person who was supposed to record such moments, he simply provided a wardrobe and asked to write a letter. Moreover, after using something, the employee returned the item to the closet. So all that needs to be done is just to put your disk / flash drive in the closet when returning, signing in the same way like “product number n build No. m”. Antivirus, by the way, also did not stand anywhere.
5) CCTV and access control system. In one place about the camera did not hear, they say everyone trusts everyone. The camera was alone and at the entrance. In another place, the cameras were very much loved and shoved everywhere, absolutely not thinking about the fact that the person who followed all this had nothing to do with the company and could follow who was doing what. There were no protective films or inserts on the monitors. As for the throughput system, then there is already a human factor. Many times, just starting to work in companies with a staff of more than 100 people, I was held in the door, which was opened with a key card. I do not think that all these people knew me.
6) Server. At one of the places of work, the key was issued against the signature. Yes, yes, the usual key. Just under the painting. Yes, even to me, trainee. Well, then cast like, right? In that server room, by the way, there were no cameras. The server in another office just opened for a whole day for everyone. And no, there were no cameras either in the corridor or in the server room itself.
7) The password for internal system folders, “god mode” in the software being developed and some other things was one.
8) Negotiations were open, before the interviews were not checked in any way (and the interviews were almost everywhere frequent), there was clearly no sound insulation.
9) Also, in one of the companies, information about lawsuits was absolutely accidentally found.
10) There was an incident when a financial report was mailed to all employees.
11) When moving, one of the companies lost a box with universal personal identifiers, which potentially gave access to any piece of hardware developed at that time.
Of course, there is the principle of Ib, which says that you do not need a hundred-meter wall and barbed wire to protect information about the birthdays of employees. And all methods and solutions should be economically viable. But, I repeat, all companies have been developing software, which should provide this very security.
At the end of each internship, I was looking for a way to talk to the person who deals with information security in this company. In no case, in order to show him wrong, just talk and ask questions. In most cases, managers fended off and said that the data of their company is still no one needs. After a couple of years, audits have become lazy. And all that they do here is ... no one gave an exact answer to this question. Perhaps, then, they are safeguards, to keep such secrets. Perhaps Russian companies just need to steal their information. And it is in our mentality to insure a house only after it burns down.
In any case, I hope that there are Russian companies who care about the safety of their data.
Thanks for attention. It will be very interesting to read your thoughts.
Source: https://habr.com/ru/post/306066/
All Articles