I had been meaning to write about this for a few days now. I’ve been trying to become someone who is more security-conscious, and to see everyday life with a different set of eyes. One day last week, this fell right into my lap, and before, I never would have even given it a second thought.
I’m sure that most people’s work days involve email. Love it or hate it, it’s certainly not going anywhere anytime soon. Of those emails that you have to deal with on a daily basis, I’ll bet that there are a number of them that have been forwarded to you from someone else, sometimes passing through many sets of eyes before eventually reaching yours.
If you’ve ever been nosy before (and who hasn’t?), you’ve probably even scrolled through the entire email chain, and glanced or read through each and every reply.
Ever read through those replies and think to yourself, “wow, I didn’t need to know/read that”? Yep, that happened to me last week. I had received an email that had been forwarded to me, and several others. I took a moment to read through the entire chain, all the way back to the original email.
What was it about?
A person was being promoted, and needed their access privileges changed.
Yep, it had the employee’s name, as well as the supervisor who was sending the email to the security group, and then EVERY email address of everyone in the chain that it was passed on to.
I did NOT need to know all of this information. I don’t work in security (yet, haha!), and have no access to a user’s account. All of a sudden, a whole bunch of people know about this person’s promotion that had no business knowing (think the military’s ‘need to know’ saying).
Now, imagine if this email had made it out to someone’s public email. It may not seem like much of a big deal to most people, but think of it in terms of a malicious hacker. They are looking for ways to get into a company’s systems, using whatever methods they can. Suddenly, they find this email to see that someone has been promoted, and had their access privileges increased. This could be a potential vector to get into a company’s resources. They could simply pose as someone in IT who needs to “verify their access”, send them to a phony site, and have them enter in their credentials.
Voila! Now they’ve got some credentials to get in!
Moral of the story: when forwarding or replying to emails, ALWAYS make sure that the intended recipient is ONLY getting the information that they need, especially if it covers sensitive topics. Read through the email chain, and remove what’s not pertinent.