The topic of today for the role of the office geek. For those who are responsible for the information security in the company, we find people who are continually trying to commit fraud within the organization. Although in such cases many organizations have already established an incident response process and the corresponding regulations to sanction these types of behaviors, we find another type of user who does not seek to commit illegal actions and although he does not have a comprehensive conception of information security, has an above-average skills, loves technology, study on their own and because of his actions he can cause us some problems in our daily operation.
I can name an example that occurred in my company: a economist leading the process of imports of goods and services was sent to a Microsoft Office course. As this employee loves technology, decided to study a little bit more and decided to use Microsoft Access to carry in a database all the information needed to handle the import procedures. In a very short time became the main database for the management of imports from the company, and any content on a computer with 1 GB of RAM with Windows XP and 80 GB disk.
When we realized the existence of this database? When we perform a penetration testing on the workstation infrastructure, as you might imagine because the database did not have the necessary security settings and apart from that had some vulnerabilities due to lack of patches.
What to do with these people? They are a double-edged sword and although they can provide ideas and feedback to the process of IT, it is necessary to channel and enforce at all times the guidelines established in the security policy information.
As always, your comments are welcome. Please remember our contact form.
Manuel Humberto Santander Pelaacuteez
Nov 1st 2010
9 years ago