Security Awareness

I visit a customer office today with my colleague to do some installation work. I notice the users have very little clue about security.

First, an IT staff connect to a share folder on the server from a user PC using the server's administrator account.

Second, later I ask the user what user name she use to connect to the share folder on the server. She give me her user name and password right a way. Cool, I ask for it, but doesn't mean she has to give it to me.

Third, on her cubicle, I notice there is a piece of paper sticking on the wall that have all the staffs birthday, email and phone number. If I am a bad guy, imagine what I can do with those information. I can craft a scam mail that send to their email to fool them into giving out some personal information (phishing scam). Or I can start calling them and convince them I am calling from some authority and try to acquire personal information from them (social engineering).