back to article Atlassian issues advice on how to keep your IT service desk secure... after hundreds of portals found facing the internet amid virus lockdown

As companies move their staff to remote working amid the COVID-19 coronavirus pandemic, some IT teams have made internal platforms, such as tech support desks, face the public internet. The hope, presumably, is that this ensures employees can easily reach these services from their homes, allowing them to raise support tickets …

  1. Flak

    Just because you cannot see someone, does not mean they are not there.

    The naive thinking displayed here is not new. When I conducted research for my dissertation in the late 1990s, I looked at the use of the Internet by SMEs, comparing UK and German companies. One common finding was that in both countries, companies recognised the new markets that the Internet was going to open up to them (e.g. outside of their current market geography), but failed to see that there would be increased competition from other companies they previously didn't contend with.

    This surprised me as it was completely irrational.

    So it is here. The Internet provides greater opportunity to work flexibly (completely independent of physical location), but people don't understand that it means that someone in some random country or location can access their services just as conveniently as they do.

    1. JCitizen

      Re: Just because you cannot see someone, does not mean they are not there.

      Another example of dumb companies(corporations) that never take security seriously; aggravated by the COVID-19 reality - Oh Well!

  2. Pascal Monett Silver badge

    Rather inevitable wasn't it ?

    We've been hearing for years now how Azure/AWS buckets are not properly secured by devs everywhere, what makes you think that this rush of making everything compatible for remote working was going to go any better ?

    I am willing to bet that, had we had months to prepare, there would still be some who couldn't be arsed to do things properly. We didn't have months. We barely had a few days. Sure, I could throw the book at the admins who were not capable of properly configuring their service desk (especially easy from the comfort of my home office chair), but I won't forget that the service desk was but one of the hundred thousand things they had to take care of in record time.

    Security is not easy in the best of times. These are just about the polar opposite of the best of times.

    1. James 139

      Re: Rather inevitable wasn't it ?

      We had a customer who deployed, what was basically software intended for LAN use, directly on the internet.

      We pointed this out and said it most definitely wasnt advisible.

      Our recommendation was that he lock it away behind even basic HTTP password protection.

      His response? "Oh yea, we're going to use SSL".

      I'm fairly sure that, after a year, it was still exposed, SSL-less and no sign of any additional password protection.

      Just a case of convenience over sense.

      1. Anonymous Coward
        Anonymous Coward

        Re: Rather inevitable wasn't it ?

        Had something similar with a client a couple of years ago. Dodgy bespoke web application storing some fairly confidential client information that they wanted to put on the internet. It had a login page, but it had hard coded admin credentials that one of my colleagues guessed in about 5 minutes. They just wanted it out there as HTTP. We couldn't get them to change their mind, but at least managed to persuade them to buy a certificate and use SSL. Stupid thing was they used Citrix, so could easily have just used it internally once they had logged onto their Citrix session.

        1. JCitizen

          Re: Rather inevitable wasn't it ?

          Too bad Secunia PSI has been shut down - it was one of the best for years at finding the vulns in apps and OS for years! Now I have to rely on OPatch to hopefully provide some minimal security!

  3. Anonymous Coward

    Not just coronavirus

    Coronavirus has certainly increased the number of incidents but the problem is an underlying refusal to start with security and proceed from there.

    When I worked remotely the first thing I had to do was install security software on any device I wanted to use. Then I needed to validate myself to the corporate network. With new hires it might be more difficult these days but the principle that you need to be running security software and be authorized by your employer before you get access remains.

    Why do companies ignore this? Security software costs money and authorization takes people (who also cost money) and time.

    1. mikepren

      Re: Not just coronavirus

      Really if you are using atlassian you should be tieing it to some identity store, and ideally name Corp 2fa. BOTH AWS AND AZURE MAKE THIS EASIER (shouting intended). JFDI

      /rant over

      In fact this should be for any SAAS service, that be ns you Service Now admins!

    2. Doctor Syntax Silver badge

      Re: Not just coronavirus

      "Security software costs money and authorization takes people (who also cost money) and time."

      Don't worry, money and time will be found for cleaning up and paying the fines after the incident. It's just that money now has greater value then money in the future for the beancounters.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like