By Daniel R. Matlis
In his recent InformationWeek article entitled “Let The UBS Trial Be A Warning To You” Mitch Wagner covers the trial against a former UBS employee charged with hacking the company’s networks. The article also addresses some of the embarrassing failures in UBS’s security and disaster preparedness.
According to testimony from a UBS IT manager, some 40 systems administrators at the company shared the same ‘root’ password to login. There they had free rein to install software or make any changes they wished. It was not unusual for systems administrators to get up from their desks and wander off while still logged in as ‘root’.
It is a fact that companies often spend millions implementing the latest and greatest security technology. The rationale is that technology will keep us secure.
The reality is that the best security technology is not worth a dime if people find a way around it. People must me trained and reminded of proper security procedure. For example don’t share passwords, it’s like giving your ATM card and PIN to anyone who asks, delete default passwords, remember Oracle’s Scott/Tiger and most everyone else’s Admin/Admin.
But in my experience, Post-it® notes are security’s worst enemy. I cannot tell you how many times I walk up to someone’s desk and stuck to the monitor is a Post-it® notes with a list of system names and their respective passwords.
The path to security begins with people. Let’s not confiscate all Post-it® notes in the company. Instead, let’s train our people on proper security procedures.
Post-it® is a trademark of 3M