In the first post of this series, we explored two ways you can end up with dangerous open shares. Open shares are essentially folders that everyone in your company can access. Sharing what is in those folders isn’t a threat by itself, but securing those documents can be tough. In this post, we’ll discuss three equally important, but less common ways to end up with dangerous open shares.
Reason 3: End Users Are Given Full Control and Grant Anyone Who Asks
If you don’t have any systems that control how users are allowed to grant access to data they are responsible for, then it’s likely they will simply open up the doors. This is the corporate IT version of holding open a card-access protected door for a stranger. People want to let folks in because it feels polite. Managing access well using native tools is hard, too. Trained admins have trouble much of the time. If users are given the power to grant access, the chances go way up that it will be open access because doing that means they have to put in the least effort. It is hard to argue that anyone with a revenue-focused role should spend their time evaluating and managing the security of unstructured data. Users left on their own with nothing but what the platform provides will most likely sink to the lowest common denominator and create an open share.
Reason 2: Collaboration Systems Often Encourage Open Access
In the last point, we blamed the lack of a good tool for leading to an open share. Even when they have a tool, open shares still may happen. Way back in SharePoint 2007 there was a link right under “Add Users” that said, “Add all authenticated users.” Many sites had that as their default as a result.
Even today, if you have a careful look at o365 SharePoint Online you may notice that in the default it says a perfectly valid entry would be ‘Everyone’ in case the user didn’t already think so. And, as you may or may not know, o365 also allows you to generate links that can be used to reach content without requiring any authentication at all. I’m picking on Microsoft, but they aren’t alone here. All the cloud players, Dropbox, Box, etc., allow you to create anonymous links. And many other collaboration sites also encourage open access because their goal is to get the data into people’s hands easily.
Reason 1: Default Access Is Open Access
In Windows, the default permissions for a new share includes everyone. So every share starts its life as an open share. Of course, the notion is that you are supposed to control access at the layers below the share. However, many times we see people create new shares, set up new folders under them with an inheritance from that top, open layer, have all the data to be shared copied in, and then they set them loose. No one bothers to tune the permissions because it works. It was supposed to share the data and it does.
In the end, the goal is more important than the risk that the short term goal introduces. The moral of the story is that if you think you have no open shares, then you may want to think again. These are just the top 5 ways open access happens. There are many more. It’s not that people are trying to do bad things. The idea of sharing is good. But security can be hard. Security applied to sharing is even harder. So people need help getting it right. If you’re reading this, then you may be just the person they need to help them out.
Interested in learning more? See how STEALTHbits deals with open shares here!