by Angela Guess
Rob Sobers of Varonis recently discussed how an information leak in New Zealand has highlighted the need for better information governance. Sobers writes, "Earlier this week, Keith Ng blogged about a massive security hole in the New Zealand Ministry of Social Development’s (MSD) network. He was able to walk up to a public kiosk in the Work and Income office and—without cracking a password or planting a Trojan—immediately gain access to thousands upon thousands of sensitive files. How sensitive, you ask? Among other things, Ng could browse, read, and modify: (1) Invoices and other financial data. (2) Call system logs. (3) Files linking children to medical prescriptions. (4) Identities of children in special needs programs. Really… frightening."
He goes on to ask how this happened: "Well, there are two possibilities: (1) The kiosks were logged in with an administrative account (e.g., Domain Admin) with full access to all data on the network. (2) The kiosks were logged in with a 'normal' account, but the file shares were incorrectly permissioned, allowing global access. I find it very hard to believe that the kiosks were logged in as administrators, but we can’t rule it out. The latter cause, broken/excessive permissions, is actually a very common problem that we address with organizations literally every week at Varonis."