In the eyes of any construction company, the Gem State Hotel had the makings of a perfect contract. More than just a place to stay during trips, the hotel was envisioned as the very reason for those trips a destination that would draw crowds to Boise unlike any other building in the city. At a height of 20 stories, it would have rivaled the U.S. Bank Plaza as the tallest building in Boise, and with its bold architectural design, it would have altered the famous Boise skyline forever.
This was the single project that could turn a successful construction company into a legendary one. Every company in the area wanted a piece of the action, but one outfit in particular seemed to have an edge over the competition. Lets call them A Company.
A Companys project manager attributed a great deal of that advantage to his companys modernized electronic bidding process. While computerized bidding was nothing new, the manager felt that he had gone leaps and bounds above the competition. Everybody involved with the bid could access the information online, through a centralized server, from both laptops and smartphones.
The problem with cutting-edge solutions is that users are often blinded by newness and sophistication, and they fail to see the potential problems that come with those solutions. Unfortunately for A Company, its biggest competitor did not hesitate to exploit those problems.
During the heat of the bidding process, someone in the cleaning crew in A Companys main office was given $500 by an employee of the competitor in exchange for loaning the project managers smartphone to him for half an hour. Unlike the company laptops, the managers personal phone was not password-protected, and it was set to automatically remember the passwords for remote connections. In just a few minutes, the confidential details of the bid were in the hands of the competition. The only way it could have been easier was if the project manager had left it on the table at his favorite coffee shop.
For those familiar with Boise, you wont be surprised to learn that there was never a Gem State Hotel under construction. The above story is fictitious but not false. It is based entirely upon real events, and it illustrates the risk that all businesses face in terms of information theft.
When dealing with information especially digital information the key question to ask is: How can I reduce access to an absolute minimum? Consider the story: The project manager may have stored the data on one centralized server, but he enabled access for any company employee with a laptop or a smartphone. Every one of those devices had the potential for being lost or stolen, and that increased the risk of data theft exponentially. Instead of having one metaphorical door into a locked room, he opened hundreds and left them unlocked.
In information security, this is known as the Principle of Least Privilege. Put simply, every person in an organization should have access to the minimum number of resources needed to do his or her job, and nothing more. Those minimum resources should then be secured as tightly as possible.
Every point of access can potentially be exploited by an attacker, and thus, companies owe it to themselves to keep as few of those doors open as possible.
NEAL CUSTER Adjunct professor at Boise State University and president/CEO of Reveal Digital Forensics & Security, a subsidiary of Custer Agency Inc.
email@example.com. Written in collaboration with Reveal information security expert Dylan Evans.