Vendor-created backdoor
The Network: A multi-state retailer with 100+ stores on the US East Coast; 400+ servers.
The Expectation: Business functions require that IT provide server access to specialist vendors, with limited access to their technology in the data center, for troubleshooting and upgrades. Vendors must abide by IT rules on account creation so that security policy can be enforced.
The Catch: Local account with non-expiring password was created by a vendor despite policy guidance that this is not permitted.
The Find: Vendor is not abiding by IT’s security policy regarding account creation and password aging.
The Fix: Remind vendor on security policy. Disable/delete the offending account and require that vendor create a new account that abides by IT security policy.
The Lesson: Doveryai no proveryai, as Ronald Reagan would say.