Your district network is complex. You have lots of VLANs. You have lots of servers and endpoints. Lots of UPSes, switches, and on and on. Then you have outside vendors who have their own equipment on your network.
My question for you this week is, "Where are all your network documentation, vendor documentation, and passwords stored?"
Is it in an Excel file stored on a network share? Are there PDFs there as well? Are there multiple copies that the techs have stored in various places and maybe even on their laptops for their convenience? Is it backed up? If so, how? Is MFA in place to challenge anyone attempting to access this confidential information?
The reality is that if an attacker gets a foothold, they are going to start looking and reading files. They will actively be looking for documentation and credentials.
It is said that the horrific SolarWinds attack on the US government began because an intern had an extremely simplistic "admin" password and then saved the credentials in a clear text file on a personal cloud-based storage platform - without strong authentication or encryption.
There are so many things wrong with what happened and the damage was horrific and may still be going on today.
However, there are a few lessons we can learn:
- No documentation or passwords ever leave the district in an unauthorized manner.
- No unapproved cloud-based storage should be allowed to function in the district. You have the standards you support and anything produced or created or updated in the district should remain in the district systems.
- MFA should always be employed to access any critical or confidential data.
- If you have files with confidential data in them, you should have passwords on the files as well.
- All laptops should be running local hard drive encryption - Bitlocker on Windows and Filevault on Macs.
- You should migrate all documentation to a security MFA-challenged password and documentation management system.
- If I scanned all your servers, shares, and all your tech desktops, laptops, and VMs, I would not find any network documentation of any kind that I can read or access.
We have some ideas on #7 and there are some pretty good ways at least in the Microsoft world to manage #6.
If you want to talk about securing your documentation and credentials, give us a call.
-Scott Quimby, CISSP