I've always believed that information security doesn't have to be that difficult. It's really not when you focus on the essentials. The problem is, many people continue to ignore the basics. In search of something bigger, better, and sexier, they look past the small number of flaws that are creating the majority of the business risks. The mindset is “Surely we have to spend tens of thousands of dollars on the latest products to keep our environment locked down”. I know there are complexities and nuances that make information security an imperfect art – and science – but still, things are incredibly predictable.
Want to know one of the greatest vulnerabilities on your network, right now? No, it's not weak passwords or missing patches. Those are beyond predictable and are, instead, widely pervasive. What I'm referring to is personally-identifiable information (PII) and intellectual property (IP) that's scattered about your network. It's everywhere in places you haven't thought about: your open network shares. In other words, you've got Windows (and Linux) systems sharing out PII to others on the network that should not otherwise have access to it. And this access is not being monitored or audited. It's being used and potentially abused and it's off the radar. That's a problem.
Open network shares and unprotected PII and IP is not a new challenge that has suddenly appeared. I first wrote about this issue over a decade ago in the context of storage security – back when the term “unstructured information” was cool. We continue to see big breaches that are related to unsecured information at rest. This is backed up by studies that show IT professionals don't know where their sensitive data resides. There's no reasonable way, in the typical network environment, that sensitive information is being adequately protected from curious internal users as well as malware and related external attacks.
The question is, what are you going to do about it? For starters, you can use your vulnerability scanner to seek out open shares. The next step is to see what sensitive information, if any, is stored on these shares and how it's currently at risk. This merely requires logging in as a “typical” network/domain user and see what you can see. Look on servers. Look on
workstations. Look on cloud storage. Look on internal storage systems and removable media. Leave no stone unturned. If you're not finding anything, odds are you're not looking hard enough. It's a different beast but don't forget about PII on unsecured (i.e. unencrypted) mobile devices as well.
We have to rely on computers and networks for information sharing. I get that. We just don't have to be so sloppy with it. Unless and until this issue is shored up, you'll continue to have risks – often big ones – on your network and you won't even know about it. Even when vulnerability scans, penetration tests, and audits come up clean, know that sensitive information is still out there, somewhere waiting to be exploited for ill-gotten gains.