Security Manager's Journal: Who's got your mail?
When a chance discovery reveals that anyone can access an executive's email, the brainstorming begins.
I'm always amazed by the various ways that security deficiencies find their way to the top of the ocean -- you know, that ocean we're all trying to boil.
Last week, one of the managers in our sales department discovered a security lapse by chance. He had terminated one of his sales associates and wanted to review that person's email for correspondence related to outstanding sales deals. We give such managers access to their reports' Exchange mail for just this sort of situation.
The manager was typing in the person's name, and it auto-filled before he could finish. So he clicked OK and started looking around. But hold on -- the inbox seemed to belong to one of our executives, not the terminated sales associate. Auto-fill had provided the name of the executive, and the sales manager hadn't noticed. That wasn't a problem -- but how was it that he had then been able to open the inbox?
Fortunately, the manager called the CIO to explain what had happened. Naturally, the CIO then called me.
I found out that the executive's email was configured to give any employee in the company access. Of course, we immediately dialed that back so that the executive's admin was the only person with access other than the executive herself. Then I called together my incident response team: one of my security analysts, the lead Exchange administrator, the manager of the help desk and a few other IT folks. We began investigating and brainstorming likely scenarios.
First, we checked logs to see who had configured access for that inbox and who had accessed it -- or we set out to do that, but there were no logs enabled for either the executive's desktop or the Exchange server. Seems we hadn't enabled these types of logs because they consume a lot of disk space and cause performance issues.
I then had my security analyst search our security incident and event management (SIEM) tool for any sign that the executive's PC had been afflicted by malware. I also had him ensure that no resident malware was running on it.
Next, I reviewed help desk tickets. Sure enough, a ticket had been opened about four months earlier to configure access to the executive's calendar. The technician who had completed the ticket assured me that he had delegated access only to the executive's admin.
I wondered whether other users' inboxes might be similarly exposed, so I had one of the Exchange administrators generate a report to tell us if any mailboxes were configured for global access. Sure enough, several more executives had improperly configured mailboxes, along with about 40 other employees.
Interestingly, the help desk tickets showed that the same technician who had been responsible for the original executive's Exchange configuration had also configured the delegated access for the other executives with wide-open inboxes. Logic suggested we had found the root of the problem.
The technician's manager and I decided to hold a training session for the help desk on the proper configuration of delegated access to Exchange inboxes. And who better to conduct this training, we figured, than the very help desk technician who seemed to have been doing things wrong. No finger-pointing, but this approach should ensure that the person most in need of the training really got the lesson.
We are also working to make logging possible on the Exchange server and to direct the logs to our SIEM tool. And we are investigating ways to keep people from enabling delegated access without first opening a help desk ticket. If that doesn't work, we'll have to ensure all employees are trained on the proper use of this configuration.
And now I have an additional audit to add to my list of regular activities.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security!
More by Mathias Thurman
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
- Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money
- Security Manager's Journal: When data classifications meet the real world
- Security Manager's Journal: Learning to let go and offshore
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts