What’s the worst security nightmares you’ve ever encountered with a client or prospective customer? The IT Security Community shared several stories of what are essentially good people doing basically the wrong things (sometimes quite badly) with their data and network protection. After detailing their tales of horror and what they did (or could not do) to rectify the situation, the audience voted on the worst of the worst.
Victor Johnston of Johnston IT Consulting won the day with his tale of a college campus where he was an adjunct faculty member. As a security professional, he noted the college was running computers without active anti-virus or firewall protection in place, and no USB policy ─ he even noted a keystroke logging dongle had been attached to one device. Instructors used same passwords for virtually every system. After approaching the administration with his concerns, he was told “IT is not our priority.” Johnston even emphasized that “you bought the program it simply hasn’t been properly implemented.”
His problem was that no one at the school accepted security as an issue they needed to take care of. As an IT professional, he felt it necessary to document the issues and obtain an email trail that acknowledged the admin team knew there was an issue and was not properly addressing it. When you consider that students and financial aid employees use these systems with no protective measures in place, corrective action needs to take place. Of course, in this case, that was not done, but as an IT security professional, Johnston reminded the audience to “cover your butt” when you see issues ─ even when your company doesn’t get the contract.
Chris Johnson of Untangled Solutions discussed a company that was paying for block time that was not being consumed. During an onsite visit at this financial institution, his team found out the client’s last backup was in 2014, the CEO was using sticky notes for passwords, there was no drive in the NAS and a host of other protection concerns. Following the conversation, the company sent Untangled Solutions all their banking info by email ─ including routing and credit numbers (unsolicited).
Johnson used a new tool to illustrate the severity of the issues. “We used the CompTIA IT Security Wizard to show our client what their vulnerabilities were.” Using this program, we were able to show the company the true risks of not having a firewall properly configures as well as all the other things a financial institution needs to have in place at all times.”
Eric Pinto of Relyez shared the “retail therapy” horror story of a small flower shop (a typical SMB organization). The owner kept a file of vital client account information on her desktop so that she could provide quality customer service. That old school management process left her customers’ information (birthdays, personal data and credit information) susceptible to theft.
Nick Stricker of ESPO Systems gave a “back to the future” review of email security vulnerabilities, focusing on the Dridex Malware Crew that targets financial credentials using an old school campaign. These security threats use malicious macros inside Word files to seek out finance departments’ bank account credentials. The subject line generally leverages financial terms, drops files and modifies registry settings and sends all that data home (typically some remote location in Russia). According to Stricker, antivirus detection is generally very poor at catching these threats. He recommends file sandboxing, which seems to be the only current solution capable of addressing these threats.
What client (or prospect) horror stories have you encountered? The IT Security Community would love to know. Learn more about the IT Security Community.