Trainee - a find for the spy
Hi, Habr.
I am a student of the “information security of automated systems” profile and it so happened that I care about information security. Knowing full well that in this area, in addition to knowledge of GOSTs, all kinds of documents, technical knowledge, English, self-confidence and so on and on, I will also need experience; from the beginning of adulthood, all possible options were sought for this experience. It’s also known that nobody will just give safety in their own company, and consulting required at least specialists for the whole day, it was decided to go to work in the company as an ordinary trainee. And there it is already developing, looking for contacts, connections, interesting people and more. In the end, experience is rarely superfluous.
In general, at the moment my practice ends in some account in a company. All companies were Russian; probably this is an important clarification. Each company was developing some kind of security software. After working in each company, I am not able to calm the fire in my chest that appeared when I looked at the state of corporate security. You’ll be right if, after reading, you say that it’s just youthful maximalism and I want to achieve the ideal, and in general information security is very boring, it’s more interesting to be a programmer and so on. I must say right away that in all companies my responsibilities included testing different products. At the interview it was stipulated that for a start I only want an internship.
Now that we know each other, let's get started.
The following is a list of, as it seems to me, gross violations of corporate security standards. Perhaps, due to the lack of experience in this area, my opinion will be wrong. I will be very attentive to any comments and criticisms about this.
1) At each place of work I had free / almost free Internet access to all resources. Also the ability to download and install any software. No employee control systems have been installed.
2) At each place of work there were no clear instructions on how to store and create a password. Until such a case:
I needed some document, which was located on the computer manager. At that time, the manager was on vacation and they advised me to simply call him in order to find out the password (everyone had the type n.surname login). Remembering for a long time who I am, he still informed me of his password. After that, none of the employees, including the deputy manager, watched what I was doing on the computer. It was on Friday. On Monday, the manager went to work and did not change the compromised password. Interestingly, this password was appropriate for the mail (there was no two-factor authentication) and the internal campus account.
3) At each place of work, any recording devices could be used. And copy any files, just like send them by mail. Perhaps the really important files and documents that would be blocked were simply not found. But all that concerned those requirements, descriptions of bugs, features were quietly sent by mail.
4) In some places of work, the records of disks, rootkens, removable drives, monitors, routers and other iron taken in use were not kept properly. More precisely, despite the presence of a person who was supposed to record such moments, he simply provided a closet and asked to write a letter. Moreover, after using something, the employee returned the item to the closet. So all you need to do is simply put your drive / flash drive into the closet upon return, signing in the same way like “product No.n assembly No.m”. Antivirus, by the way, was also nowhere to be found.
5) CCTV systems and access system. In one place, they did not hear about the cameras, they say everyone trusts everyone. There was one camera at the entrance. In another place, the cameras were very fond of and shoved everywhere, completely unaware that the person who was watching all this had nothing to do with the company and could follow who and what was doing. There were no protective films or inserts on the monitors. As for the access system, there is already a human factor. Many times, just starting to work in companies with a staff of more than 100 people, they held me a door that opened with a key card. I don’t think that all these people knew me.
6) Server. At one of the places of work, the key was issued for signature. Yes, an ordinary key. Just for painting. Yes, even me, an intern. Well, then like a cast, right? In that server room, by the way, there were no cameras. The server room in another office just opened for the whole day for everyone. And no, there were no cameras either in the corridor or in the server itself.
7) The password for the internal system folders, the “god mode” in the developed software and some other things was one.
8) Negotiations were open, before the interview they were not checked in any way (and the interviews were frequent almost everywhere), there was clearly no sound insulation there.
9) Also in one of the companies information about lawsuits was found absolutely by accident.
10) There was an incident when the financial report was mailed to all employees
11) When moving, one of the companies lost a box with universal personal identifiers, which potentially gave access to any piece of hardware developed at that time.
Of course, there is the Ib principle, which says that you do not need to protect information about the birthdays of employees with a hundred-meter wall and barbed wire. And all methods and solutions should be economically feasible. But, again, all companies were engaged in the development of software that should provide this very security.
At the end of each internship, I was looking for a way to talk with a person who is involved in information security at this company. In no case, in order to show its wrong, just talk and ask questions. In most cases, executives brushed aside and said that no one needed their company data anyway. Audits after a couple of years have become lazy. And all they do here is ... no one gave an exact answer to this question. Perhaps, they are security guards, keep such secrets. Perhaps Russian companies simply need to steal their information. And it is in our mentality to insure a house only after it burns out.
In any case, I hope that there are Russian companies that care about the safety of their data.
Thanks for attention. It will be very interesting to read your thoughts.
I am a student of the “information security of automated systems” profile and it so happened that I care about information security. Knowing full well that in this area, in addition to knowledge of GOSTs, all kinds of documents, technical knowledge, English, self-confidence and so on and on, I will also need experience; from the beginning of adulthood, all possible options were sought for this experience. It’s also known that nobody will just give safety in their own company, and consulting required at least specialists for the whole day, it was decided to go to work in the company as an ordinary trainee. And there it is already developing, looking for contacts, connections, interesting people and more. In the end, experience is rarely superfluous.
In general, at the moment my practice ends in some account in a company. All companies were Russian; probably this is an important clarification. Each company was developing some kind of security software. After working in each company, I am not able to calm the fire in my chest that appeared when I looked at the state of corporate security. You’ll be right if, after reading, you say that it’s just youthful maximalism and I want to achieve the ideal, and in general information security is very boring, it’s more interesting to be a programmer and so on. I must say right away that in all companies my responsibilities included testing different products. At the interview it was stipulated that for a start I only want an internship.
Now that we know each other, let's get started.
The following is a list of, as it seems to me, gross violations of corporate security standards. Perhaps, due to the lack of experience in this area, my opinion will be wrong. I will be very attentive to any comments and criticisms about this.
1) At each place of work I had free / almost free Internet access to all resources. Also the ability to download and install any software. No employee control systems have been installed.
2) At each place of work there were no clear instructions on how to store and create a password. Until such a case:
I needed some document, which was located on the computer manager. At that time, the manager was on vacation and they advised me to simply call him in order to find out the password (everyone had the type n.surname login). Remembering for a long time who I am, he still informed me of his password. After that, none of the employees, including the deputy manager, watched what I was doing on the computer. It was on Friday. On Monday, the manager went to work and did not change the compromised password. Interestingly, this password was appropriate for the mail (there was no two-factor authentication) and the internal campus account.
3) At each place of work, any recording devices could be used. And copy any files, just like send them by mail. Perhaps the really important files and documents that would be blocked were simply not found. But all that concerned those requirements, descriptions of bugs, features were quietly sent by mail.
4) In some places of work, the records of disks, rootkens, removable drives, monitors, routers and other iron taken in use were not kept properly. More precisely, despite the presence of a person who was supposed to record such moments, he simply provided a closet and asked to write a letter. Moreover, after using something, the employee returned the item to the closet. So all you need to do is simply put your drive / flash drive into the closet upon return, signing in the same way like “product No.n assembly No.m”. Antivirus, by the way, was also nowhere to be found.
5) CCTV systems and access system. In one place, they did not hear about the cameras, they say everyone trusts everyone. There was one camera at the entrance. In another place, the cameras were very fond of and shoved everywhere, completely unaware that the person who was watching all this had nothing to do with the company and could follow who and what was doing. There were no protective films or inserts on the monitors. As for the access system, there is already a human factor. Many times, just starting to work in companies with a staff of more than 100 people, they held me a door that opened with a key card. I don’t think that all these people knew me.
6) Server. At one of the places of work, the key was issued for signature. Yes, an ordinary key. Just for painting. Yes, even me, an intern. Well, then like a cast, right? In that server room, by the way, there were no cameras. The server room in another office just opened for the whole day for everyone. And no, there were no cameras either in the corridor or in the server itself.
7) The password for the internal system folders, the “god mode” in the developed software and some other things was one.
8) Negotiations were open, before the interview they were not checked in any way (and the interviews were frequent almost everywhere), there was clearly no sound insulation there.
9) Also in one of the companies information about lawsuits was found absolutely by accident.
10) There was an incident when the financial report was mailed to all employees
11) When moving, one of the companies lost a box with universal personal identifiers, which potentially gave access to any piece of hardware developed at that time.
Of course, there is the Ib principle, which says that you do not need to protect information about the birthdays of employees with a hundred-meter wall and barbed wire. And all methods and solutions should be economically feasible. But, again, all companies were engaged in the development of software that should provide this very security.
At the end of each internship, I was looking for a way to talk with a person who is involved in information security at this company. In no case, in order to show its wrong, just talk and ask questions. In most cases, executives brushed aside and said that no one needed their company data anyway. Audits after a couple of years have become lazy. And all they do here is ... no one gave an exact answer to this question. Perhaps, they are security guards, keep such secrets. Perhaps Russian companies simply need to steal their information. And it is in our mentality to insure a house only after it burns out.
In any case, I hope that there are Russian companies that care about the safety of their data.
Thanks for attention. It will be very interesting to read your thoughts.