A couple of weeks into a new job, I was told that I was now in charge of the Internet firewall. I suddenly realized I had two major problems:
- I did not know squat about firewalls.
- I did not know the firewall password.
The good news part of the equation was that most of the firewall work was outsourced, so problem #1 would remain a secret for a while.
However, since I was in charge of the firewall and it was now laying across my sad shoulders, I needed the password in case something happened, and someone a lot smarter than me needed the password to fix something.
I soon discovered that the person from whom I inherited the firewall from didn’t know the password either. Which meant I had two more serious problems:
- I was responsible for something outside of my control.
- If my predecessor didn’t know the password, that meant she hadn’t keep much of an eye on it, and it had problems of its own.
Being the enterprising person I am (pardon the pun), I emailed our support vendor and requested the firewall password. I explained that responsibility for the firewall was passed from my colleague (to whom I referred to by name) to me.
Surprisingly enough, the next day I received the firewall account and password…
- In the same email (usually you send the account in one email and the password later, in a separate email)
- Without any verification whatsoever. No one called my boss, my colleague, or even me. The vendor didn’t know if I was in IT, was authorized to know the password, or whether I knew anything about firewalls. All they knew is that an email from the correct company and email domain requested the password. It made me wonder how many others had the password.
It was then I knew that the firewall most likely had more than just a security problem or too.
Oh, that’s not all either; there’s a bonus round. When I opened the email from the vendor to claim my password, I noticed that the email I received was a reply to a previous email that had nothing to do with my company. It had more to do with a local bank.
Evidently this vendor also provided services to this bank, because in the previous email was the administrative account and password of this bank’s website, you know, the kind of website where you check your savings balance and transfer money.
To avoid temptation, I immediately emailed my vendor contact back and asked him to look at what was attached to the bottom of the email that he sent me. He emailed me back an apology and asked me to delete that portion of the email and not discuss the event with anyone (even at this point, I never received a call from the vendor).
I never discussed it until now, and I still don’t bank at that institution.
See a similar event at Vendor Provides Access, No Questions Asked.