Normally we talk about the gap between rich and the poor in developing nations and within the United Kingdom at times - being a cyber security website as you can guess this article is not about class or education. I have been in info, information, data, IT, internet, network, computer, cyber security or whatever it was called at the time for fourteen years. Weirdly the private sector organisation I started off working at all those years ago as my first real job was better managed and secured than some you see today!
It had COPE (corporate owned personally enabled), web filtering, IDS (intrusion prevention detection), DLP (data loss prevention), email filtering, full disc encryption, privileged account management, security change approval board and more. This was before the words “cyber security” was even used and today I see large firms less secure than this private sector organisation. From finishing in 2006 I have worked at or consulted to many small-medium firms, very large firms and central government departments, and have seen so many hilarious things. Apart from me no one else was nosey enough to look around or ask hard questions. I would find flaws which had existed for years.
My numerous stories sometimes relate to past employers or clients and they are never written down or shared to preserve client confidentially. Some disclosures are listed on this website, usually anonymised and at times with the company’s name named and shamed in the article. I always put a good effort into reporting the issue before writing about it and for those who ignore me, it gets published to some extent. Issues relating to individuals or their data are never published online.
An ex-black hat I work with often says “I have seen fashion blogs which are better secured than governments or defence contractors”. It seems hard to believe until you have seen and spoken to tens of different organisation types. Within the last three years I saw what he meant. Not in his exact example though. My example was: housing association which is really a charity v.s. a “very sensitive private sector firm”. Both in monetary terms, fall into the haves and the have nots but not in their security controls oddly.
Housing association x had a few sub domains like: remote., intranet. and owa… .domain.org.uk. I immediately port scanned all the sub domains to find little or nothing open. Then I visited all the URLs in a standard browser and up came a UTM firewall page which says login with your username, password and OTP two factor authentication code. You either need to VPN in or login using an SSL-VPN style in your browser. Pretty good, the firewall blocks direct access and ensures you have authenticated/authorised to view such pages. On top of this you still need to login with single factor authentication to open your emails or whatever.
“Very sensitive private sector firm” which is not a client, but I am still going to protect their identity is rather different. A search of sub domains brings up a few interesting addresses and one being the classic owa.domain.com. OWA stands for Outlook Web Access and lets you view emails in a browser without needing a client device to display emails. On going to owa.domain.com it happily loaded directly in the browser and asks for AD or email credentials. No firewalling, no VPN or two factor authentication needed! The bad guys or bad girls can do the same foot printing I can do.
If you are wondering these are not organisations in the third world but British organisations. So to sum it up, a charitable organisation which is not the size of the NSPCC or Cancer Research UK has better security in some way than a “very sensitive private sector firm” with a turnover of tens of millions. One of my favourite phrases “do as you preach” comes to mind. A housing association has to protect the personal data of tenants yet a “very sensitive private sector firm” has a lot more to protect.