|
Internal admin tools grow over time. They don't spring fully-formed into the modern company with all the correct access controls and auditing they ought to require at that point. They carry a lot of cruft from things that were needed early on and aren't needed anymore. Furthermore, they're a classic cost center, not a lot of love or budget goes into reducing their tech debt, or bulwarking them up against a sophisticated adversary. Red teaming yourself full time is expensive and not profitable. What's the worst that happens from a breach like that? Well, Equifax is still going strong! I recall being party to an amusing conversation at a major network services provider at a team meeting for people with access to such tools, to the effect of: - Alright, we're modifying <internal tool A> to lock down access to accounts related to <major political figure>. You will no longer be able to use <internal tool A> on <accounts>, only select supervisors will have that access. %%% ah, okay, that makes sense # uh, hey, regarding <internal tool B>, which allows us to look up <thing that would provide equivalent access to internal tool A>? does that still work the same? - Uh, yeah, it does. # okay? %%% ... silence ... - Alright, next item! To the best of my knowledge, that was never addressed. <internal tool A> has audit logs. <internal tool B> doesn't. |