Throwback Thursday: How to improve security

Credit to Author: Sharky| Date: Thu, 26 Apr 2018 03:00:00 -0700

There’s a new security policy at this biotech company, reports a pilot fish in the know: When logging in on a PC, the username field will now be blank, and everyone will have to input the name together with the password.

“The policy is announced weeks in advance,” fish says. “In spite of this, the first day is painful. A flurry of calls comes into the IT help desk regarding people not being able to log in. One is from a junior member of the payroll department who is about to leave on a two-week vacation — in fact, her flight is later that afternoon.”

“A tech tries to help her over the phone, but apparently she couldn’t tell the difference between the username box and password box, in spite of them actually being labeled as such.”

Tech volunteers to come to the payroll employee’s desk, but she insists her PC is broken and she doesn’t have time, and anyhow she’ll be gone for two weeks so there’s no rush.

So tech does no desk visit, and payroll employee leaves — but not before she manages to type her password into the username field.

And leaves it there. On a PC whose screen never goes blank, in a cubicle in a high-traffic area.

Tech logs in remotely, confirms that the PC is running correctly and closes the trouble ticket.

“A few days later, confidential information about salaries and benefits shows up posted in public areas and in the cafeteria,” says fish. “Apparently, somebody has figured out how to log in as the payroll employee — it’s easy to figure out the username — and gained access to the payroll server.”

One senior researcher finds out from these postings that, although she has been with the company for years, has significantly contributed to crucial projects that helped the company survive, and has put in countless hours of unpaid overtime, she’s making 20 percent less than a junior researcher who arrived fresh from school six months earlier.

Not surprisingly, a firestorm erupts. The tech is reprimanded and almost loses his job. The payroll employee returns from vacation and does lose her job. The irate senior scientist quits, taking a few key subordinates with her, and later sues the company for discrimination.

“The IT department checked in on who had access to the payroll server,” says fish. “It seems that whoever accessed it without authorization did so from a common PC in the lab area. The perpetrator was never identified.”

Sharky won’t identify you either. So send me your true tale of IT life at sharky@computerworld.com. You’ll snag a snazzy Shark shirt if I use it. Comment on today’s tale at Sharky’s Google+ community, and read thousands of great old tales in the Sharkives.

Get Sharky’s outtakes from the IT Theater of the Absurd delivered directly to your Inbox. Subscribe now to the Daily Shark Newsletter.

http://www.computerworld.com/category/security/index.rss