Welcome!

Blog Feed Post

Security threats: The real Authorization level of the CEO's Secretary

Few years ago I watched a bank's branch working process.
Senior Bankers received a digital card which should be passed prior to executing operations requiring higher level of Authorization. 

Other bankers has lower Authorization level. They did not receive these cards. They are prohibited from executing high level authorized operations.

The Computerized Branch systems were built according to the defined Authorization levels. However, Senior Bankers were busy. When another banker asked a senior banker to perform an operation very often he gave him his digital card instead of executing the operation and asked him to execute the operation behalf of the Senior and Busy Banker.

The real Authorization system was different from the formal analyzed, designed and developed systems.

The real system authorized every banker to execute most operations.

The formal system limited Authorization of non-Senior Bankers.

This kind of dissonance between implemented systems and real life systems is very common in other verticals as well as well as in other banks.

The most confident Business data and Reports
It includes data about Strategy, New R and D and new Products, Plans and reports and data summarizing overall Business Performance.

If such data will leak competitors could gain and the company's Business Results could be worse than the Results achieved if the data would not leak.

Naturally, only Top Management team members are authorized to access this data.
However, Top Managers are even busier than Senior Bankers.
They will do exactly what the Senior Bankers depicted in the previous section did:
They will give authorization to their Secretaries.

The real Authorization system is again different from the planned Authorization system.
Are the over authorized secretaries a bigger Security threat than the Top Management?


The Top Managers
A Top Manager can benefit a lot from not breaching Security by exposing or selling confidential data.
His salary is high and he may receive high bonus as well. 

If he will sell confidential data to a competitor he may lose everything: No more high salary and high bonus but more than this: no other company will ever employ him as a manager.

The probability that CEO or other top manager will sell the most important confidential data to a competitor is extremely low.

It is reasonable that he is aware of the potential risk of exposing such data unintentionally to people who are not authorized to access it and avoid of that risk. 


The Secretaries
A Secretary selling confidential data can lose less and win more than a Manager.

Her salary is far from being a high salary. She does not expect, and probably will never get, high bonus.

She may operate a little shop or other type of small business instead of working as a secretary. 

The probability that she will breach Security and deliver intentionally confidential data is low, but it is significantly higher than the probability that a Top Manager will do it. 

As far as exposing a printed report unintentionally is concerned, I am not so sure that the probability that a Manager's Secretary will do it is low.

It is all about Security Awareness. The Manager should be more aware and probably the Security team will periodically remind him of the Security requirements due to the high formal authorization granted to him.



 



      

Read the original blog entry...

More Stories By Avi Rosenthal

Ari has over 30 years of experience in IT across a wide variety of technology platforms, including application development, technology selection, application and infrastructure strategies, system design, middleware and transaction management technologies and security.

Positions held include CTO for one of the largest software houses in Israel as well as the CTO position for one of the largest ministries of the Israeli government.

Latest Stories
SYS-CON Events announced today that Linux Academy, the foremost online Linux and cloud training platform and community, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Linux Academy was founded on the belief that providing high-quality, in-depth training should be available at an affordable price. Industry leaders in quality training, provided services, and student certification passes, its goal is to c...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In his Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, will explore t...
Providing the needed data for application development and testing is a huge headache for most organizations. The problems are often the same across companies - speed, quality, cost, and control. Provisioning data can take days or weeks, every time a refresh is required. Using dummy data leads to quality problems. Creating physical copies of large data sets and sending them to distributed teams of developers eats up expensive storage and bandwidth resources. And, all of these copies proliferating...
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
SYS-CON Events announced today that StorageCraft Technology Corp, a global leader in backup and disaster, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. The StorageCraft family of companies, founded in 2003, provides award-winning backup, disaster recovery, system migration and data protection solutions for servers, desktops and laptops in addition to powerful data analytics.
In his session at @ThingsExpo, Eric Lachapelle, CEO of the Professional Evaluation and Certification Board (PECB), will provide an overview of various initiatives to certifiy the security of connected devices and future trends in ensuring public trust of IoT. Eric Lachapelle is the Chief Executive Officer of the Professional Evaluation and Certification Board (PECB), an international certification body. His role is to help companies and individuals to achieve professional, accredited and worldw...
SYS-CON Events announced today that Auditwerx will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Auditwerx specializes in SOC 1, SOC 2, and SOC 3 attestation services throughout the U.S. and Canada. As a division of Carr, Riggs & Ingram (CRI), one of the top 20 largest CPA firms nationally, you can expect the resources, skills, and experience of a much larger firm combined with the accessibility and attent...
SYS-CON Events announced today that Technologic Systems Inc., an embedded systems solutions company, will exhibit at SYS-CON's @ThingsExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Technologic Systems is an embedded systems company with headquarters in Fountain Hills, Arizona. They have been in business for 32 years, helping more than 8,000 OEM customers and building over a hundred COTS products that have never been discontinued. Technologic Systems’ pr...
SYS-CON Events announced today that CA Technologies has been named “Platinum Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business – from apparel to energy – is being rewritten by software. From ...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo | @ThingsExpo, June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA. Learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
HyperConvergence came to market with the objective of being simple, flexible and to help drive down operating expenses. It reduced the footprint by bundling the compute/storage/network into one box. This brought a new set of challenges as the HyperConverged vendors are very focused on their own proprietary building blocks. If you want to scale in a certain way, let’s say you identified a need for more storage and want to add a device that is not sold by the HyperConverged vendor, forget about it...
SYS-CON Events announced today that Loom Systems will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2015, Loom Systems delivers an advanced AI solution to predict and prevent problems in the digital business. Loom stands alone in the industry as an AI analysis platform requiring no prior math knowledge from operators, leveraging the existing staff to succeed in the digital era. With offices in S...
FinTech is the sum of financial and technology, and it’s one of the fastest growing tech industries. Total global investments in FinTech almost reached $50 billion last year, but there is still a great deal of confusion over what it is and what it means – especially as it applies to retirement. Building financial startups is not simple, but with the right team, technology and an innovative approach it can be an extremely interesting domain to disrupt. FinTech heralds a financial revolution that...
What if you could build a web application that could support true web-scale traffic without having to ever provision or manage a single server? Sounds magical, and it is! In his session at 20th Cloud Expo, Chris Munns, Senior Developer Advocate for Serverless Applications at Amazon Web Services, will show how to build a serverless website that scales automatically using services like AWS Lambda, Amazon API Gateway, and Amazon S3. We will review several frameworks that can help you build serverle...
Most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall. As with most new architectures, this dream takes a lot of work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reduction in cost ...