Is this bad practice?

I have a situation at work that is bothering me and was curious if it should. In my department right now there is a giant white board, with IP addresses to everything in our infrastructure. The thing that bothers me is that it is sitting in what is essentially a hallway where everyone can see it.

It isn't just employees who can see it, also any guests on site could as well.

Is this a bad practice?

Find more posts tagged with

Comments

Verities

I'm surprised that you're asking this kind of question having Security + under your belt. This is a pretty basic example of bad security practices.

BowlJar

The fact that it seems like such a basic security issue is why it bothers me. But I was wondering if there is a standpoint where this procedure is acceptable, or commonplace. My Network admin who has past experience in Security procedures on corporate scale is who put it up. I have the least amount of real world experience on my team so I don't know what it is common procedure.

Theory over practice kind of deal.

Edificer

We on a regular basis receive guests and showcase our server rooms and Emergency Command Posts, but we make 110% sure the curtains are pulled over the whiteboards first.

Verities

Have you voiced your concerns to him/her about it? The only place I could see this not being an issue is if you're in a secure office/room or if you're in a NOC that limits access to anyone outside of support.

MTciscoguy

When I was working in DC, if something like that had been made visible to anyone other than those with the proper clearance as well a reason to see them, such as security personal that worked on it, you would have been taken into custody and charged with a crime. Company infrastructure maps should be in a place that the only people who see them are those that need to know them. In this day and age of high quality pocket cameras it is way to easy for somebody with nefarious intentions to do a massive amount of damage.

hurricane1091

We don't always follow best practice. I've mentioned it and was basically told "deal with it kid" so take that FWIW.

BowlJar

Which in a round about way is what I was told when I brought it up today.

nster

It's a pretty bad security risk IMO. You could go over your boss' head to voice your concerns

EDIT: would def piss him off if action was taken though

MTciscoguy

BowDar, you have to understand the hierarchy in the IT business is pretty amazing, the prevailing thought process is, you are lower than me, you can't understand why we are willing to breach the companies security! LOL

Don't push it so far you get in trouble, but I would continue to drop subtle hints anytime I could.

rsutton

I don't see the problem with listing your IP addresses. Maybe I'm missing something - what is the risk here?

Christian.

rsutton wrote: »

I don't see the problem with listing your IP addresses. Maybe I'm missing something - what is the risk here?

Is not a really huge issue, but you are basically showing hints on your topology.

MTciscoguy

rsutton wrote: »

I don't see the problem with listing your IP addresses. Maybe I'm missing something - what is the risk here?

With a little bit of basic information you can create some real havoc for a company.