{"id":26717,"date":"2016-10-10T09:14:30","date_gmt":"2016-10-10T07:14:30","guid":{"rendered":"https:\/\/mamchenkov.net\/wordpress\/?p=26717"},"modified":"2016-10-10T09:14:30","modified_gmt":"2016-10-10T07:14:30","slug":"yet-another-bit-on-security","status":"publish","type":"post","link":"https:\/\/mamchenkov.net\/wordpress\/2016\/10\/10\/yet-another-bit-on-security\/","title":{"rendered":"Yet another bit on security"},"content":{"rendered":"\n

Here are a couple of interesting articles from the last few days on Slashdot<\/a>.<\/p>\n

First, comes in a very non-surprising survey saying that “40 percent of organizations store admin passwords in Word documents<\/a>“. \u00a0Judging from my personal experiences in different companies, I’d say this number is much higher if you extend the Word documents to Excel spreadsheets and plain text files. \u00a0I think pretty much every single company I’ve worked at used such common files for admin password storage (at least at some point).<\/p>\n

“Why or why?!!!”, the security concerned among you might scream. \u00a0Well, I think there are two reasons for this. \u00a0The first one is that password management is complicated. \u00a0There are tools that help with this, but even those are rarely easy to use. \u00a0Storing the passwords in a secure, encrypted storage is one thing. \u00a0But, how do you share them with just the right people? How do you trust the tool? What happens if the file gets corrupted, the software updates, the license expires, or the master password is lost? \u00a0The risk of losing admin access to all your equipment and accounts is scary. \u00a0On top of that, there is the issue of changing passwords (especially when people leave the company) – not a simple job if you have a variety of accounts (hardware, software, services, etc) and a lot of people who have a varying degree of access. \u00a0Or automation scripts that need access to perform large scale operations. \u00a0Personally, I don’t think this problem has been solved yet.<\/p>\n

The second reason is in this other Slashdot post – “Sad Reality: It’s Cheaper To Get Hacked Than Build Strong IT Defenses<\/a>“. \u00a0This is very true as well. \u00a0A simple firewall and a strong password policy is often more than enough for many organizations. \u00a0The risks of compromise are low. \u00a0In those cases where it does happen, you’d often get some script kiddie consequence like a Bitcoin mining app or affiliate links spread across your website. \u00a0Both are quite easy to detect and fix. \u00a0Is it worth investing hundreds of thousands in equipment and personnel to prevent this? For many companies it is not.<\/p>\n

The fact of the matter is that a lot of people don’t really care about security or privacy on the personal level, and that then translates into the organizational mentality as well.<\/p>\n

Just think about people leaving in all those high crime areas. \u00a0Some of them think the risk is worth it – maybe then can make more money there or have a more exciting life. \u00a0Some of them simply can’t afford to move anywhere. \u00a0That’s very similar to the digital security, I think. \u00a0Some don’t care and prefer to run the risk, saving the money on protection. Some simply can’t afford to have a decent level of security.<\/p>\n\n","protected":false},"excerpt":{"rendered":"\n

Here are a couple of interesting articles from the last few days on Slashdot. First, comes in a very non-surprising survey saying that “40 percent of organizations store admin passwords in Word documents“. \u00a0Judging from my personal experiences in different companies, I’d say this number is much higher if you extend the Word documents to … Continue reading Yet another bit on security<\/span><\/a><\/p>\n\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"Yet another bit on security #security #business #technology","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false,"_links_to":"","_links_to_target":""},"categories":[1,133,62,1334],"tags":[1968,1117,200],"keyring_services":[],"class_list":["post-26717","post","type-post","status-publish","format-standard","hentry","category-general","category-sysadmin","category-technology","category-web-work","tag-business","tag-research","tag-security"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t