What types of information do you copy to a shared folder? Who has access to the share? This can be a difficult problem within many organizations to handle these questions. From a user perspective, a shared folder is just a means to collaborate. We often don’t think about what type of data is in the files or who has access. As long as the recipient has access, we don’t continue to think about who else has access.
From a system admin perspective, how do we completely lock down the shares so that no one can create them when needed? We don’t want to hold up progress for the employees. But what is the big deal with a share anyway?
Often times during a penetration test we have credentials of a normal user on the system. This is critical during an internal assessment to determine what types of information is available to that insider threat. You may be surprised at the information that is found, or maybe not. I have seen social security numbers, credit card numbers, bank account info, and sometimes worse, database credentials. You may think the personal information is worse, but many times the credentials may get you many more records. These credentials can also lead to much more than just data compromise. They can also lead to system compromise and pivoting around the network.
We need to start thinking about what data is stored in the files we put on a shared folder, as well as who has access. Does everyone have a need to access that file? Should it just be available to one person? Limiting access helps reduce the risk posed by an insider scavenging for data.
One way you can audit the shares on your network is to run Nessus scans with different levels of credentials. Running it as an administrator and as a regular user and then comparing the share outputs can help identify the shares that need a closer look. Unfortunately it is a bit manual, but it is a step in the right direction.
James Jardine is a principal security consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org, @jardinesoftware or visit the Secure Ideas – Professionally Evil site for services provided.