Like this:

I think one of the most intriguing aspects of security is that of password management; forget patch, AV, spyware, intrusion prevention and all that other shiny techno security babble – the first immutable law of security states never ever give away your password(s), write it down, disclose it – whatever! Just don’t do it.. period!

This said, it amuses me no end to find that even after repeated education technical, and the not so technical users still revert to the good old post it note stuck to a pin board, monitor etc as the trusted repository of usernames and passwords – security by obscurity – you decide?

The source of this amusement comes from a recent on site conversation with a client about deploying high level protective measures around date loss and data leakage. The clients primary objective was to stop data being disclosed from stolen devices while the second was that of access control to sensitive data by the masses, the preferred (client) choice and buzzword of the moment was to deploy encryption on all fronts. After some serious discussions where held on the subject I pointed out one serious flaw in the chink of the organisation which I suggested that they need to address ASAP – the issue of password disclosure! Of course the response was ‘why do we need to address that issue its not a problem in the organisation, it is forbidden by policy and strictly policed!’ – at which point I asked the client to look at the desk immediate behind to see the ‘pink’ post it note stuck to a helpdesk techies monitor entitled (in bold) enterprise admin followed by account name and password, at which point the client almost fell of the chair!

The funny thing about this was that it was the client that issued the username and password of the account to the techie but failed to realise the significance of the act!

So, if the user can easily masquerade as the enterprise administrator how do you protect your data…..?

Well erm…..

Advertisement