Upload File

Download - Auditing Archives: The Case of the File Sharing Franchisee

Transcript
Page 1: Auditing Archives: The Case of the File Sharing Franchisee

Auditing Archives SeriesThe Case of the File-Sharing Franchisee

Page 2: Auditing Archives: The Case of the File Sharing Franchisee

Business background

Successful franchisee owns over 100 well-known restaurants in the Midwest.

Page 3: Auditing Archives: The Case of the File Sharing Franchisee

Business background

Shared files with restaurant management across states via a server at the corporate location.

Page 4: Auditing Archives: The Case of the File Sharing Franchisee

Business background

Used a third party IT company to configure system hardware and software for all restaurant locations.

Page 5: Auditing Archives: The Case of the File Sharing Franchisee

How hackers could get inThe corporate back office server that shared files across restaurant servers used an always-on, insecure, virtual private network (VPN) connection.

IT staff configured the corporate office remote access insecurely, which provided access to the ‘flat’ internal network structure.

Page 6: Auditing Archives: The Case of the File Sharing Franchisee

What is remote access?Remote access is the ability to access a computer or server from a remote location. It is often used in mid-large organizations among employees who need access to shared files and company networks.

Unfortunately, it’s very common for remote access to be set up insecurely.

Page 7: Auditing Archives: The Case of the File Sharing Franchisee

How hackers could get inA hacker could break into the insecure remote access at corporate headquarters by cracking an easily-guessable password, and find the file server connected to 100+ other restaurants via the always-on VPN connection.

Page 8: Auditing Archives: The Case of the File Sharing Franchisee

How hackers could get inOnce in the file server he could guess the in-store POS system password.

One by one, he could download malware into each restaurant’s POS system and gain sensitive payment card data.

Page 9: Auditing Archives: The Case of the File Sharing Franchisee

What the business did wrong

Third party IT group configured all restaurant systems identically and with an easily guessable password.

Page 10: Auditing Archives: The Case of the File Sharing Franchisee

What makes a good password?

A password should not be found in a dictionary in any language. It should contain at least 8 upper and lower case letters, numbers, and special characters.

Passwords should be changed every 90 days.

Page 11: Auditing Archives: The Case of the File Sharing Franchisee

What they should have done

This problem could have been prevented through more secure remote access at the corporate location.

Specifically, requiring two-factor authentication for each login (e.g., a password and a one time code) and individual complex system passwords for each restaurant location.

Page 12: Auditing Archives: The Case of the File Sharing Franchisee

SecurityMetricsWe Protect Business

ServicesPCI, HIPAA, & data security solutions for businesses of all sizes

QualificationsGlobal provider of ASV, QSA, PFI, PA QSA, P2PE services

ExperienceAssisted over 1 million organizations with compliance needs


Top Related

Medica Franchisee Presentation
Medica Franchisee Presentation
Franchisee Disclaimer
Franchisee Disclaimer
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Franchisee Orientation
Franchisee Orientation
Dosalicious franchisee proposal
Dosalicious franchisee proposal
Franchisee agreement
Franchisee agreement
Iref franchisee-presentation
Iref franchisee-presentation
«FRANCHISEE NAME» ACN «ACN » ATF «TRUST NAME» “Sub Franchisee” · Franchisee; 1.8.1.5 all other information treated by the Master Franchisee as confidential; 1.8.1.6 all
«FRANCHISEE NAME» ACN «ACN » ATF «TRUST NAME» “Sub Franchisee” · Franchisee; 1.8.1.5 all other information treated by the Master Franchisee as confidential; 1.8.1.6 all