Who do you think is the most dangerous person in your organization?
Think it’s the CEO? They set the direction and make the decisions right? Nope not them, they always have a bunch of people looking over their shoulder and occasionally vested interest in the company’s success.
How about the CFO? They’ve got their hands in the cookie jar all day. Again nope, they presumably have staff oversight, reconciling accounts, entering invoices, etc. Someone would see if some money vanished and even if they did run of with some cash it’s not actually that damaging, money can be replaced.
The answer is your CIO/CTO/IT director/IT Manager. Whatever you call the person that runs your Information Technology department, they have the keys to the kingdom, whether they realize it or not.
How does that work? You didn’t give them any special authority and they definitely answer to you right? Well yes and no. Do you understand what they do? How they do it? Probably not, that’s a specialized field and there’s probably no one in your organization equipped to assess their efficacy or competence.
Lets discuss some examples to give you a picture of this.
Account access – That seems trivial. Just some passwords and email addresses generally. What if your IT person walks suddenly. They have administrator accounts that allow them to manage all your other accounts. Think those admin accounts are accessible without the IT person? Does anyone else in your organization have access to them? So what happens when those accounts walk? Well first off you can’t revoke that IT person’s access, access to everything with zero restriction or oversight. That’s a pretty big problem. If they left without warning they probably weren’t very happy.
What else? Well, got any new employees coming in? No one can set up their access; email, servers, web sites you use, etc. They probably can’t do their job until you sort that out. Heck, they probably can’t even log in to their PC assuming they were able to get one.
That’s really nothing though, get someone else in the door; call an MSP, whatever. Maybe a couple days of trouble. Well that’s just the tip of the iceberg.
What if you’re in the much more common, much more difficult to spot situation. What if your IT person sucks? You may not be able to tell. If your day to day stuff isn’t impacted, email is working, your PC isn’t broken, etc. then your IT person is solid right?
Maybe, maybe not.
The biggest threat your IT person poses is security. If their security approach isn’t on point you’re not going to know. There’s no real obvious evidence if you aren’t knowledgeable in the field your self. Meh, it’s not that big of a deal right? We’re not worth hacking, why would anyone attack us? You’re probably right, no one is specifically targeting you. The reality is everyone is under attack all the time. Massive bot nets and other robotic approaches are constantly hammering every corner of the internet trying to find weak points. The spam email you get is all automatically generated. The attempts to penetrate your firewall are automated. The suspicious log in attempt you get an email about was just a program running on a computer somewhere. It’s doesn’t matter how big or small your company is it’s under attack.
What if you are specifically being attacked? How much danger is there in that case? Well lets look at an example.
A former business partner of mine had an alternate gig while we were working on things. He was the COO. In this place IT fell under his authority. Turns out the place is involved in a case heading to court for wire fraud. They didn’t do any fraudulent wiring. Turns out a client got a fake email with wiring instructions. They were apparently part of the problem and followed the instruction without question.
So my buddy asks me to poke around a bit and offer an assessment of the situation. I gave it a solid 5 minutes and reported back. His organization had no SPF record configured on their domain. This is an extremely simple and impressively effective mechanism designed to prevent would be attackers from spoofing emails from your domain. Their company site had multiple board member’s email address listed in the about us page. This is a bit of a controversial thing. You can do that, I would not. Simply put you’ve just provided your would be attackers all the best email addresses to spoof and the username for the most impactful accounts they could hack, they’re halfway there thanks to you.
So very likely nothing was hacked on the company’s side. The user probably had their email hacked, the attacker had been monitor communications, saw a high value target, did 10 seconds of research and realized there was nothing to prevent them from spoofing this place’s emails and whipped up an email and got a bucket of cash. Of course for all we know everything was hacked. If you don’t have an SPF record configured I’m sure you don’t have MFA.
If they had an even remotely decent person running their IT this never would have happened.
Lets do another example, I like trash talking the buffoons I’ve run across in my career.
This company had an email issue. Everyone in the company got an email one day asking everyone to download a file. The email was sent from the mailbox of one of the 10 most senior people in the organization. I saw the email and dismissed it immediately. I actually thought it was one of those staff tests to see who would be foolish enough to click the link. Well it wasn’t a test, it was a real email, from a really compromised mailbox of a really senior person. This one was pretty amazing because later I would find out the attacker was actually responding to people questioning the email from the compromised mailbox. Definitely a very specific, orchestrated attack. It’s worth noting I had no IT capacity in this organization, I was merely observing. A while later it was determined this was a legitimate attack but there was no major announcement, mandatory password changes, this joke of an organization of course didn’t even have MFA on their email so they were practically begging for this to happen.
So after discovering this was no test I surveyed my team. One user had clicked the link, this then prompted them for onedrive (microsoft) credentials which they then entered but were surprised to find no download. Obviously that was a phishing link and they had just acquired that user’s credentials. In this particular organization when IT initially assisted you with setting up your accounts on your first day they also advised you use the same credentials for all your accounts for convenience. I’m image they would have drooled on themselves out of confusion if you mentioned SSO. This of course was very convenient, especially for the attacker, who now had access to this user’s mailbox, the entire filesharing platform containing hundreds of terabytes of client data, and the website that tracked all projects, finances, and employee personal info. My user didn’t have that much access but the initial compromised email did.
I discovered this user was compromised with no action taken about a week after that first email landed. So I notified my boss who arranged a meeting with this “person”. This imbecile shows up to the video meeting about 75% laying down slouched across their chair, baseball cap sideways on their head, seething attitude, also had that haircut that makes you look like you recently had brain surgery; who knows, maybe that’s the explanation for all this. At first things are cordial enough. I very briefly explain my concern. Their response is something to the effect of this issue is already dealt with, after the email was reported I logged everyone out. My response was of course “that’s it?”. I then tried to explain they obviously already have all these people’s credentials, if you didn’t change their passwords all they had to do was log back in.
This was enough to set this dimwit off. They got much louder and aggressive, immediately starting to throw out every possible excuse for the pathetic security, eventually ending in a tirade about how the compromise was my fault because my department was using onedrive. Just a quick side note, this idiot had issued a process change email that everyone was to only use a specific file sharing platform going forward. I had only worked their a couple weeks and my department had been using onedrive for years prior. No direction or assistance was ever offered to migrate the dozens of terabytes there and no follow up was ever made to ensure people were actually using the recommend platform (which was also a terrible, barely functional platform btw).
So anyway after over a week of massive breach and no response it was determined that still nothing was going to be done. I instructed my user to change their password at least. I informed my boss this was an enormous and potentially illegal issue. They approached the IT moron’s boss who dismissed it entirely stating they trusted the IT moron and no amount of concrete fact could sway them, effectively. Then additional emails with phishing links started coming from other accounts. Lots of them.
Eventually everyone receive the Microsoft prompt to configure MFA, without warning or preparations, so someone must have finally realized what was happening. Of course by that point it was far too late, over two weeks since the initial email. Every bit of data had been downloaded long before. Thousands of clients business information, staff information, bank info, etc. leaked to a malicious entity and no steps ever taken to report it or prevent it or even stop it.
But that wasn’t the end. See this IT person continued their reign of incompetence. They clearly had no understanding of the options in the MFA settings in Microsoft 365 so they made an enormous error. They left App Passwords enabled. An app password allows you to bypass the MFA for older applications that don’t support modern authentication. Totally unnecessary in this organization. However since it’s on by default and the dimwit didn’t know what it meant they left it on. This means the attacker now just needs to crack that password and once again will have complete access to the mailboxes. They also enabled MFA on the file sharing platform where files are sent to and received from clients (the ones that contain all of their employees personal information and banking information and all that) however when this data is returned to the client a link is emailed to them to access the files; a public, non-expiring, download link with unlimited uses. So once mailbox access is regained (probably took 2 days) all the attacker needs to do is scan for links to this site and they can download all this data effortlessly.
So lets assess. What should have been done. Well step one that IT person should’ve been fired immediately after my conversation with them. My boss that was on the call was roughly the 4th highest ranking person in the organization. I explained the situation to them and they were easily able to see it was simply fact not up for debate. I don’t fault a person for making a mistake but the handling of a mistake is extremely important. The mistake in this case was allowing an easily preventable breach to occur. Their responsibility was to act swiftly and appropriately to the breach. Not only did they not do that but they demonstrated they had no understanding of the systems they were responsible for or what actions to take. Then, to make things worse, when presented with proof their systems were compromised they refused to act and did nothing but make excuses. Truthfully they shouldn’t just be fired they should also probably be put in prison. There’s no telling how much damage to many businesses and people they are directly responsible for.
How should the IT person have handled this? Well first off no organization on the planet should have email without MFA. Email is the single most targeted and easily targeted attack vector there is and once you get an account you get the mailbox and if it’s Microsoft, most of it is, you get the global address book (a list of every email address in the company). From there you can do all kinds of damage. That said if this situation came up only a complete idiot would believe logging people out would do anything about compromised account credentials, and I don’t just mean as far as IT people go, that’s so stupid it’s hard for me to fathom. Every account should have had a forced password change immediately and an email blast to everyone warning them of the phishing email which didn’t happen. To be fair they did try to recall the email, of course that didn’t work because they didn’t know what they were doing and they never followed up to see if it had worked and it was already much too late anyway.
Maybe I’ll run through more examples in future but this is already a little long.
So how do you avoid all this? Well there’s a few things you should do.
- Get a good, in-house IT person. Pay them well. If they’re willing to work for cheap there’s a reason they’re looking for work. And once again IN-HOUSE. Outsourcing your IT is about the same as being on life support, it is not a viable long-term solution. Your IT person needs to know your organization backwards and forwards and it needs to be their only focus. MSPs don’t and never will know your organization, your nuances, or your needs.
Oh and sorry to tell you this but degrees and certificates don’t mean squat. One of the worst engineers I ever knew had practically every cert because he was extremely talented at exams. He could cram the day before and ace any test, of course the next day he couldn’t recount any of that information and he most certainly couldn’t apply it but he had a CCNP. I couldn’t even get him to understand what a subnet is. - Hire an MSSP. You need oversight for your IT. Specifically and mostly exclusively oversight of your security. There should be regular assessments and pentation testing and all that stuff done by a 3rd party.
- Get MFA on every single platform. If you don’t have MFA you are already compromised.
If you follow those three tips you’ll never be sued into oblivion as a result of your Information Technology practices.