During an audit, I had a vendor provide me with access to data I shouldn’t have, no questions asked. I didn’t ask for the access, I just needed some information for my audit.
The audit involved checking some vendor software to determine whether it is patched by IT on a regular basis. I obtained from IT a screenshot of the version number of software that was installed, but needed to know the last couple of versions released by the vendor. The admin was going to send me the URL because he said I probably wouldn’t find it the info on the vendor’s site. After a couple days of waiting for the URL, I took matters into my own hands and went to the vendor’s website.
This vendor reminded me of Oracle in that you couldn’t access basic documentation or key information without an account at the vendor’s website. I had to register for an account using my work email address and received a message that my request would be reviewed and I’d hear the results in 24 hours.
Surprisingly, I received an email promptly the next day that contained my account and password. I logged in and retrieved their patch list and finished that part of the audit (the installed software was running the latest version).
But then I noticed that my account gave me access to a profile and web pages that was obviously set up for our company when we bought the software. I could see the support tickets that IT had opened with the vendor, which included all the requests, notes, and replies detailing the exchange between our IT admins and the vendor. All the ticket dates, who entered the ticket, commented on it, solutions, etc. I also found a list of licenses that we purchased for all their products.
Ok, so in a sense, I asked for the access when I registered for an account, which required a work email address. But unlike Oracle, I didn’t have to provide a customer or site number. I was given access based on my address. I could have been the payroll clerk, the law librarian, or a contractor (ahem), anyone with a company email address. No questions asked. No follow up with IT.
One other note – my vendor account was my email address, and the password I was given was my first name + 123. I am willing to bet that if I tried to log in as one of the IT admins from my company, their passwords would still be their first name + 123. What do you think?
Firewall Password
This event reminded me of another event many years ago when I took over for another person running the network. Our perimeter firewall (and only firewall) was managed by a vendor, and I needed the password. So I emailed the vendor (using my company email address), explained who I was, mentioned the person’s name that I took over for, and asked for the password. Later that day, I got the password via email, again, no questions asked.
In this case, I had described who I was and told them the previous admin’s name, so it was reasonable that they should trust me, although they still should have checked, especially regarding a firewall password. But they didn’t.
I really thought things had changed since those days, especially in these days of regulation and litigation, but they obviously haven’t in some companies. Yes, the info I accessed in the first instance noted above is a far cry from a firewall password, and it’s low risk. But do you think all the vendors who handle more sensitive data regarding their client support relationships have this covered?
ITauditSecurity 
Regardless of how many regulation, standards or policies we have none of them is effective as long as it is down to people. It all comes down to enforcement. I can bet that the vendor support responsible for providing you the access to their website or the Firewall password people were aware of good and bad security practices, as they are commonly communicated, but just didn’t care to or were lazy to follow them. Following security standards is not easy because it is not the norm, norm is to keep things easy as they were kept in easy in both your experiences.
LikeLike
Hi coffeeking,
I agree. Hopefully the vendor’s auditors look at who they give accounts to occasionally and whether any approval is documented. In this case, no harm done, as I’m one of the good guys (another name for auditor, right?).
But then again, if this is how they treat the very large and prominent company I’m currently auditing, it is likely that they treat other companies the same. And smaller companies worse.
Of course, this particular vendor is a security provider [surprise!].
Following security standards is usually not only the norm, it’s a pain. I know because it doesn’t come naturally to me either. But then I remind myself that it’s much easier, quicker, and less painful than being responsible for a breach.
LikeLike