Thursday, January 3, 2013

Intranet insecurity

Simple file sharing is largely used in many organization as the primary data exchange mechanism. The false sense of "being inside, behind a firewall equals being secure". What you can say when the organization has exactly no limitation for the file sharing capability? I believe that this is the lowest level of maturity in the context of information security. And what does an internal penetration test mean for such a totally open network? You need just a node, an three hours to find dozens of sensitive data, such as router configs, contract details, customer data, etc., being fully exposed by shares, ftp directories and so on!
This situation is by itself a security incident.