Open shares are evil. Sure, there are cases you may need a read-only share open to everyone in the organization. How else will they grab benefits forms or company calendars to print and hang in their cubes? But it’s amazing how often those simple use cases grow into ugly messes. All it takes is one person with the right (or wrong) rights to add write access to that same share, and you have a huge problem.
The root of the problem comes from something you want to encourage: people sharing data. Sharing data makes people more efficient, but if you don’t control it you will have problems. The problems you get as a result of open shares are not obvious at first. The one that surprises many people the most is the proliferation of malware and viruses. Many of these hacker pets running around in your network are designed to spread using open shares. They will seek out places to write themselves using whatever credentials they have managed to hijack and sit waiting in that location. Since anyone can write to something with full open access, these are logical spots for baddies to wait.
Another fun one is the proliferation of sensitive data into the wrong hands. We once encountered the credit card number of a CEO sitting in the clear on a fully open share. It had the number, expiration date, pin, billing address, and anything else you would want to steal. Why? The administrative staff was planning a big event and they were using that card to pay for all of it. They got lazy and shoved their planning document onto the open share for easy access. Then they forgot about it. For over a year.
We have compiled a list of the top 5 reasons that people end up with dangerous open shares. Two of which will be in this blog, and the final three will be in the next blog. These reasons are roughly in order from the least to the most common, though one could argue that by the sheer amount of data exposed 5 & 4 may deserve higher placement. If you keep this list in mind when thinking about the behaviors of your own organization, you may have a chance to avoid some of the trouble open shares can cause.
Reason 5: M&A and Other Business Events That Breed Super Groups
When people think open access, they tend to limit the thinking to built-in things like the Everyone group or Authenticated Users. That’s far from the end of the party, though. There are many groups that either contain those built-ins or have become so large that they are equal to them in scope. Even worse, if you are unaware of just how much these groups encompass, then you may not even be watching for them. It’s easy to realize you want to scan for anywhere “Everyone” has access, but not as easy to spot “transition phase 1” – the name of an actual group we encountered that contained literally every user in that organization.
Reason 4: When Admins Simply Copy and Paste Large Sets of Data
“Can you move all that stuff to our new server?” It sounds like an innocent request. If it is not done correctly, you may end up with an open share. All the carefully crafted access you may have had in the original location is gone once you move it. Yes, there are great tools you can use to preserve those permissions. However, human nature is drawn to easy and cheap alternatives, like the “right-click and copy” approach. So oftentimes people will move it, set it to open, grant control to the end-user, and expect them to clean it up. If security isn’t paying close attention to ensure that they do clean that access up, then it becomes a de-facto open share.
Be on the lookout for the next post. We’ll reveal three more ways that many organizations end up with open shares in their environment.