As I sat at a client site recently I was amazed what I overheard a few cubicles away. An auditor was onsite as part of a team to review the same client that I was doing some work for. The part that I chuckling about was their lack of access. Apparently the best laid plans had been all for naught. They couldn’t access their IP phones and VPN. Basically they were flying blind.
Then they called the help desk.
After three reboots, no really, three of them, they were still no further ahead. I was starting to feel bad that I wasn’t helping but, that washed away quickly when I heard the most amusing thing.
“Yes, my username is XXXXXXX and my domain password is XXXXXX. What’s that? Yes, my VPN is the same”
WTF? SRSLY?
The auditor had just coughed up their username/password for access to the kingdom. I should have been more surprised but, I’m very familiar with said audit shop.
Then it continued.
“Yes, the VPN IP address that I’m going to is 1.1.1.1”
Obviously that’s not the proper address. I couldn’t be that evil. The root of the problem was that this person was borderline clueless on an epic scale. Scratch that, full on clueless.
So, as I had been sitting here churning through my mountain of documentation I had managed to receive access to the network of one of the big audit firms. Time and again I read about data breaches and the media will call out various Hollywood scenarios as possible methods on how the breach may have occurred. Occam’s Razor should be more closely examined. Sometimes the easiest explanation is the correct one.
I walked up to the auditor a little while later and introduced myself as Dave from consulting firm X. The point I was trying to hammer home was that I was very much within ear shot. I wanted to gauge their reaction to my proximity.
The light was on but, no one was home.
Ouch.