It is a regular occurrence for us to receive requests from people that are experiencing extreme issues. It could be a single site that is down, a whole server that is having problems or any combination of other issues. While we totally understand the urgency behind each of these requests, it is amazing the types of security risks that users will put themselves into, just to get help. In this post I will outline our "best practices" recommendation for balancing the line between security and the urgency for help.
The Bad - Real Life Examples
To set the stage I want to explain a few recent scenarios. We regularly receive e-mails with content similar to "We are having performance issues with ___ site, can you help. Here is a host username and password as well as full remote desktop credentials. Now, from a support perspective, this information is great, I have everything I need to get a deep dive into the environment. The bad part? I've never heard of this person before, they have never worked with our company, and they sent me their personal passwords.
You would think this is uncommon, but after tracking things for the last four months I've had this situation occur a total of ten different times. Thus the creation of this blog posting!
What is the Security Risk
Aside from the blatantly obvious fact that credentials were openly provided to a person that was not known there is a bigger concern here with regards to this scenario. And this comes in the form of three different potential issues.
Accountability, providing an outside contractor with YOUR credentials allows that person to assume your identity within those systems. How can you track what was done by that person and what was done by you? It is almost impossible in a lot of situations to track things to that level.
Other Accounts Security, although we all hear the recommendations that you should never re-use a password, it is quite often that you do. Where else is the password that you gave out used? If the recipient had malicious intentions what could they get access to?
Lastly, you could be exposed to risk due to the communication mechanism, what if the person that you contacted uses their smartphone to access their e-mail and happened to loose their device? You would never know who had those credentials.
How to Mitigate The Risk
Well aside from the obvious notes of only sending information to a consultant once you have established a relationship, there are other items to take into consideration. First and foremost there is the idea of creating individual user accounts for the consultant, this will allow them to get all of the needed access, but will give you auditing capabilities and the opportunity to lock them out in the future.
From a DotNetNuke perspective it is easy to create a new Host user, simply select "Host" -> "Superuser Accounts" from the menu and create a new user. Now, keep in mind, for security purposes DNN does NOT e-mail this password, so be sure to set the password manually and then provide it to the vendor.
When it comes to remote desktop access there are a few options. Ideally a new Windows user account should be created. However, this is not always possible, in the cases where it is not possible a temporary secure password should be selected and at the end of the project it should be changed to a private password that the consultant is not aware of, re-securing that account to your organization.
In addition to these recommendations I wanted to take this time to go on record and disclose our process for this type of situation. In any case when we are e-mailed a password to a non-ICG specific account as soon as we are done the e-mail and password information is deleted. I know that we irritate customers with this by constantly asking for credentials again, but we would rather ask for credentials again than to have your confidential information stored in a non-secure fashion. IowaComputerGurus specific accounts are retained with strong passwords and all information is stored in an encrypted system no where associated to e-mail, so your information is safe with us.
I hope this information has been helpful! We take customer privacy and security very seriously and try to do our best to educate when possible on these types of issues. Feel free to share comments below.