Question to ask your IT Professional: “Who outside of our company can log in as an administrator?” What happened at Target is that Target provided at least one of their vendors with username and password credentials to log in to Target’s corporate network. Attackers stole the username and password credentials from a vendor.
The attackers didn’t need to breach Target, they only needed to breach Target’s vendor.
It is very – yes very – likely that your vendors have username / password access to your network. That means you are counting on your vendors’ security to protect your own.
Your full set of questions to ask your IT Pros:
“Who outside of our company can log in?”
“Is their account disabled right now?”
“If the account is enabled, when is it set to automatically expire?”
“In the past six months, exactly how many times has a log in been absolutely necessary?”
“Do we reset vendors’ passwords and give them a new password every time we re-activate their account?”
This video that explains the reasons and also provides more information about the 5 questions that you should be asking IT about who has access to your systems. The video is in plain English and designed for Presidents, CEOs, CFOs, other top executives, and business owners:
PS: If you are in a hurry and only want to see the “12 questions” without the explanation of why this is important, this video is a short excerpt:
You may wonder, “Just who has access to our network?” Ask IT to show you. Maybe one or more:
-Outside consultants who take care of your network
-Vendors who sold you some of your most important software
-Vendors who maintain a database – perhaps that of your internal paperless office imaging software
-Maybe even “The guy who used to be your IT guy who needs to connect in and help now and then.”
Disable, not delete, vendor accounts. You can re-activate each account when the vendor needs access, but set the automatic expiration date and reset the password each time.
Don’t experience what Target experienced. Don’t trust your system’s security to outside parties who may not keep your password secure.
Do you want to know something funny? Too often, when assessing our customers’ security, it turns out that vendors on your network will have passwords like (if your company is named ACME) “ACME.P@ssw0rd” Guess what the vendor’s password is at their customer named “Tarpit?” You’re right: “Tarpit.P@ssw0rd” That “secure” password with letters numbers and symbols makes it easy for the vendor to “remember the password” for each of their customers. However, it leaves all of their customers, including you, wide open to anyone who knows the “secret strategy,” including every ex-employee the vendor ever had or will have. Even any angry ex-employees who might retaliate. That’s more scary than zombies on your driveway. This threat is real. Take action. Ask your IT Pros those questions now.
Please forward this to your friends and post your comments below…