I was visiting a friend at large, public company doing some benchmarking when we had to schedule several meetings with IT to gather data. My friend “Meako” starting entering attendees into his online calendar to see whether we could get some important meetings scheduled during the next week.
I noticed right away that we could view not only the free/busy times for every person, but also the reasons for the busy times: meetings, vacations, golf, travel plans, birthday parties, bachelor parties, and other items I shall not mention.
Meako could also open the meetings and read the agendas, attachments, and anything else in the meeting notice. Very few of the time slots that were scheduled were marked “Private.” Employees also unknowingly opened their weekend activities to everyone in the company.
On one hand, it didn’t surprise me because my friend said that the company’s culture is very open, kind, and helpful. The company prides itself on it’s technology, and using it in a way that enables productivity.
On the other hand, that kind of openness is rather foolish. It demonstrates that many people in this company are not thinking about security and the tradeoffs that Bruce Schneier always talks about. Someone was only thinking about the gain in productivity, not the loss of privacy.
When calendars are shared at this level, it’s easy to discover what lawsuits are pending–just look at some attorney calendars. Check out HR calendars to see who has meetings about disciplinary actions. Marketing’s weekly meetings will let you know about the next advertising campaign. And if you’re curious about the problems engineering is having with their latest product, just find the calendars for those names you found in last month’s company newsletter announcing product X.
For calendaring to be productive, all you really need is free/busy information. Nothing else. It was interesting to note that only vice presidents and above had private calendars at this company. But those executives have lots of folks that do the leg work and know all about the company’s secrets.
Intranet Problems
Usually, if a company fails to protect data in one arena, you’ll often find the same issues in other arenas. To test my suspicions, we slid over to the intranet. We followed some of the same methods noted in How to do an Easy Server Share Audit, such as searching for terms like: confidential, lawsuit, and added other terms such as IT security, server, and database.
We found entire web pages devoted to servers and the databases that ran on them. We found listings of production, test, and development servers, along with database names, and even the service accounts that ran them. It even provided what disk each database was mounted on, and how many gigabytes each database consumed. (Generally, these types of pages are published automatically by monitoring tools like Tivoli. IT loves this stuff, often without realizing how others could maliciously use this data).
We also found many documents describing sensitive IT operations, sales techniques, engineering diagrams, and more (often contained in unsecured Sharepoint sites used by departments).
If you have a GOOJ card (and my friend does), do the same thing on your company intranet. Be ready for a shock.
Google Treasures
Finally, do a Google search with the name of your company and the words “private, confidential, internal use only, etc.” Always fun to find public treasures.
I remember one time I was googling a company that I was interviewing with and found some interesting financial and marketing data. It seemed odd that this data would be public, but then I started seeing employee links (sign up for benefits, how to enter a help desk ticket). I realized that Google had indexed an internal intranet that obviously wasn’t locked down. Oops. I got out of there fast.
It’s 10 pm and no one’s in the office. Do you know where your company data is? Have you had similar experiences?
—————
Other ITauditSecurity posts related to this topic:
ITauditSecurity 
Pingback: New IT Auditors Should Start Here | ITauditSecurity