Friday, April 13, 2012

Information Security vs Senior Manager Fun#2 - Admin right for "VIP" user


Here is another deja vu.....

Senior Manager mate: Love, have you got that report finished? I need it before lunch to present it to the Board.
Personal Assistant love: Sir, not yet. I tried to install that reporting software you gave me but it just failed... I tried it many time but it keeps telling me something like "insufficient right"... hell I know what's that mean...

Senior Manager mate:  Ah... I remember that.. something to do with admin right that IT folks set. Why these IT folks keep making my life harder each day!  <*picking up the phone and call the IT Supplier chap*> Can you come here immediately? I need you to install a reporting software on my PA's PC immediately.
<* IT Supplier chap arrived 5 minutes later*>

Senior Manager mate: Give my P.A the admin right. I need her to do other reports with other software and I don't like the need to call you every time I need to do so. I insist.
IT Supplier cap: If that you want Sir, please sign this admin right request form.... but before that, you should know that having admin right could increase the risk of virus infection....
Senior Manager mate: <* interrupting IT Supplier chap*> Yeah.. I know all that stuff... just get it done now!



Few months later, the Personal Assistant love left the company and was replaced by a new lady.

1 month had passed.....

Information Security lad: Mr. Senior Manager, we have a situation. Our network is under virus attack. the IT folks are doing fire fighting as we speak... Our CERT team has issued a Red Alert for this incident.
Senior Manager mate: What? How could this happened... I thought we have all the security stuffs we need. We just bought a full suite of that Anti-virus solution.
Information Security lad: Unfortunately, we are dealing with a new variant.. the Anti-virus software don't have the signature to counter this virus yet.... Furthermore, it seems like we are amongst the first one got hit....

1 week later......

Senior Manager mate: Information Security lad, tell me, I presume you have that lesson learnt done by now. Tell me, how did that virus got into our network <* acting piss-off *>
Information Security lad: Here it is. We spent in total of 100 man days to fix the situation and it cost use 500,000 EUR blah blah.... And, we did found the patient-zero sir. It started from your P.A machine.....
New Personal Assistant love: What? Are you sure?
Information Security lad: Yes.. our forensic result indicates the. The virus did first propagated from your PC. We also found that you have admin right on the machine.... Have you downloaded and installed any unknown software?
New Personal Assistant love: No.... I'm new here and I don't install stuff on that PC. I just use it for normal emailing...
Information Security lad: <* checking her email history *> . Ah... here it is, this email. I assume you clicked on the link and watch the funny video?
New Personal Assistant love: Yes...... and what's wrong with that.. I only watch after office hour... some more, the link doesn't look dangerous to me...
Information Security lad: hmmm.. here the thing. That video contains a virus inside.. once you play it, it will try to infect some system files to gain control of you PC and to propagate itself. Normally it would fail, but since you have admin right on your machine.. the virus managed to do that.. Once it infected your machine.. it propagated within the network and infected other machines. That's how we had that virus outbreak... Now, may I ask how you get that admin right? Our record indicates that you shouldn't have one.
New Personal Assistant love: I'm not sure... I just inherited the user account from the previous lady.... She gave me the password before she left.... She said....
Senior Manager mate: <* looking a bit nervous *> No I didn't ask her to do that.. in fact, I asked her to contact IT to get her account revoked before she left the company.....
Information Security lad: <* in his head: yeah right... blame on poor lady that left *> Mr. Senior Manager, we need to review all admin rights given.... Miss New Personal Assistant, did you attended any information security awareness training when you joined the company? It should be part of your induction training.... Did HR send you there?
New Personal Assistant love: Nope.... I didn't go through any induction training. I heard they cancelled it due to budget issue....
Information Security lad: Mr. Senior Manager, seems like we have 2 major issues here. One, we need to review all the admin rights given and revoke those not needed. Second, we need to ensure that induction training, especially the Information Security Awareness part is mandatory for each staff. The security awareness training is important as one of the component is educating the staff on how to use internet and email safely.
Senior Manager mate: You do that...... <* damm... I shouldn't have cut that induction budget... it cost much lesser than fixing this virus stuff *>


Moral of the story?
1. Having admin right is a risky thing. It must be controlled should be given based on need-to-have basis only.
2. The people is always the weakest link of a security chain. Educating a user/staff on proper usage of internet, email etc is often more effective than purely depending on technological control such as anti-virus.

Ain't security fun? ;) 

Acknowledgement: Picture taken from http://www.flickr.com/photos/liamdunn/2683642114/sizes/z/in/photostream/

 

No comments:

Post a Comment