After a friend bought me lunch today, he showed me around his work place. During our walk, we stopped at the IT workbench area to see if the laptop he ordered for a new employee would be ready by Monday (I tagged along).
If you’ve worked in IT, you can picture the room…desktops and laptops stacked all over the place, some in various stages of reassembly, extra switches, cables galore, old bags of potato chips, and a corkboard pinned with an abundance of notices, notes, and pictures of hot rods and Star Trek crew members.
One neatly typed list on the board drew my attention. It was a list of accounts and passwords for several monitoring tools, 3rd-party websites, Sharepoint data repositories, and test servers and applications.
Not only was the list visible from inside the room (which was pRotEcteD by a card reader), it was also visible (and readable) through the window in the door.
I quickly memorized a few accounts and passwords, and when we left the area, ducked into the bathroom and wrote them down.
Before I said goodbye to my friend, I asked him if he noticed anything interesting in the room, and when he said no (he’s neither an infosec guy nor auditor), I showed him my list.
I had his passwords and ate his lunch too.
ITauditSecurity 