Information Security in the Office (pt.4)

This is part 4 of a short series looking at information security in the office – here are links to part 1, 2 and 3.

Information Security in the Office (pt.1) The Printer is the Issue

Information Security in the Office (pt.2) Forgotten Technology

Information Security in the Office (pt.3) Reliable Infrastructure

Today we are going to continue our look at infrastructure in the office and some of the basic mistakes that I have seen.

Information Security through Sensible Infrastructure

I think this article is just going to list some of the obvious infrastructure issues we have seen on sites over the years, that could have seriously weakened the information security of the client.

  • Network equipment in plain sight and easily accessible. Enough said. In the past we had several clients who had their internet connection and associated hardware on display in the reception. At least put it in a cupboard with a lock on it.
  • Service technicians or even in-house IT staff who create very attractive “Dymo” labels that list the IP addresses, sub-nets and gateways for the devices in question.
  • I have not seen passwords stuck on devices – even in that most secret of places, underneath – but I would not be surprised if this was done as well to make life easier.
  • Devices where the password really was “password” – again done to make someone’s life easier.
  • A notebook, which was kept in a locked equipment cabinet, but listed all the devices, their configurations including usernames and passwords and even the server and gateway router and firewall admin credentials. The reason this was done was because the boss, who was not the IT person, did not like to feel he was not in control. That notebook was shredded but not before it helped me with my IT and Cyber Security Audit.
  • The back-up drives clearly labelled with their contents, the software version that they were created with and the required credentials to open them. This was done by the previous IT company as part of their incident response plan for their ex-client.

Any of these mistakes could give a vital clue to a threat actor, allowing them, or someone to whom they pass the information, to compromise the information security of a system.

Keep the details secret

A good place to start when trying to keep a secret in your organisation is the “Principle of Least Privilege” – there is a link below to an extended explanation of this useful information security tool. This is because the threat actor could be someone you work closely with every day. (Toulas 2024a) and (Toulas 2024b)

Next

Keeping things secret leads nicely on to who you can trust.


Clive Catton MSc (Cyber Security) – 
by-line and other articles

References

Toulas, Bill. 2023a. “Former IT manager pleads guilty to attacking high school network.” BleepingComputer, December 18. https://www.bleepingcomputer.com/news/security/former-it-manager-pleads-guilty-to-attacking-high-school-network/.

Toulas, Bill. 2024b. “Verizon insider data breach hits over 63,000 employees.” BleepingComputer, February 6. https://www.bleepingcomputer.com/news/security/verizon-insider-data-breach-hits-over-63-000-employees/.

Further Reading

The Principle of Least Privilege and Authentication, Authorisation and Accountability – A Primer

What is involved in an IT and Cyber Security Audit? | Octagon Technology