Hi everyone! I've spent nearly 15 years in IT, mainly focused on Office 365, identity management, and Exchange migrations. I recently took a new job at a government agency dealing with highly sensitive medical records, and I'm feeling a bit out of the loop. I've noticed some serious security concerns, but despite my attempts to bring them to the attention of senior staff, no one seems to care.
The main issues I've identified are:
1. A misconfigured Hybrid Exchange Server 2016 that's still open to the internet on ports 443 and 25, exposing critical directories like OWA and ECP with just basic authentication and no reverse proxy.
2. A VPN client that apparently stores all domain passwords in users' AppData folders in plain text, logging in automatically on every connection attempt.
3. I've sent emails with detailed findings and screenshots about these issues, but there hasn't been any follow-up or acknowledgment. I'm beginning to wonder if I'm overreacting. Are these issues as serious as I think they are? Any advice would be appreciated!
5 Answers
This is where being proactive comes in! Draft up an email summarizing your findings and include the potential consequences. Make sure to copy in legal and risk management. It might help to lay out a project scope and timeline for fixing these issues, as well as which departments would be involved. Could give them a clearer picture of what’s at stake!
Did you suggest any specific solutions or provide a detailed plan for remediation when you raised these issues? Also, just curious—did you happen to use any emojis in your emails? That can change the tone quite a bit!
As long as you've documented your concerns and communicated them to upper management, you’ve covered yourself when the inevitable issues arise. Just make sure you’re not caught in a situation where you’re held responsible for what they neglect to fix—keeping records is key!
It's ultimately up to management to decide how much risk they want to take on. The issues you’ve raised definitely need attention, especially considering regulatory standards that might require them to be fixed. If you’ve highlighted everything clearly and there’s still no action, it might be time to reconsider your place there. Remember, staying in a poorly managed environment can be tough—if you enjoy the job, stick around, but if not, it’s worth looking at other options. Your concerns are valid, and they should be considering how to mitigate those risks.
Regarding the VPN situation, having passwords stored in plain text is a huge no-no. Even if they think the risk is minimal, that's just asking for trouble. If a user’s device is compromised, those passwords are a goldmine for malware. If I were you, I’d be pushing hard against anything that allows domain passwords to be stored insecurely.
Thanks for backing me up on that. I’m definitely going to make this issue my top priority!