The third item on my list is a problem that involves permissions. It was discovered during the investigation of a recent DLP incident. The DLP analyst discovered that the permissions for a departmental file share that contained sensitive business documents were set so that all domain users could list the file contents of any folder.
Although the users couldn't download or view the contents of files, just displaying folder or document names can be risky. For example, say that the human resources department had a folder named "Layoffs," and inside that was a spreadsheet called "2013 Reduction in Force." Anyone who saw those names would likely make assumptions, and layoff rumors would soon be flying.
Having found that several folders were configured in this way, we will mandate a review of all departmental file shares to ensure that permissions are set properly. We are also planning some new technical controls and processes to prevent improper permissions from being set.
Sign up for MIS Asia eNewsletters.