When I arrived at this company, it had no security department. Few security processes. Little security.
And the company also made two interesting mistakes when it hired me.
First, the week before they hired me, the help desk called me 3 different times to ask for my complete social security number. They said that they needed it to set up my laptop.
I asked the caller if they knew the position that I was hired for.
I told him: head of information security.
“That’s nice,” the caller said, and then he persisted: “Can I get your social security number? (You just can’t make this stuff up.)
I asked the guy what his name was, and he told me. I told him that I would not provide it, but I still expected a laptop to be ready for me.
Later that week, two of his colleagues called me and tried to convince me to provide it.
I thought to myself: while they don’t have much of a security and compliance mindset, at least they really try to follow procedures.
I never did give my SSN to them.
And yet, my laptop was ready when I arrived.
This new job was full of opportunities and was going to be an exciting ride.
The second serious mistake they made when they hired me is that they didn’t give me Internet access for 3 weeks.
Isn’t that funny? The security guy is not granted access to the Internet (that’s another story).
So, being the security guy (armed with a GOOJ card) with nothing to do–remember, they had no security culture or processes–I decided to hack the internal network and walk around a lot to see what kind of trouble I could find.
One day, I was shown the outside of the data center (yeah, I’m getting to the point, finally). I hadn’t received access yet, and they wouldn’t let me in. The conversation that day went something like this….
“And this is our data center,” my tour guide, who was from the Facilities department, said. He motioned with a wave of his hand at a locked door and a wall full of smaller doors.
“The data center has an outer area, which is immediately behind those doors, and an inner area where the hardware lives.”
“What are those smaller, clear doors for?” I asked, noting that they had knobs, but no locks. Inside each glass door was one or more shelves. Some shelves had stacks of paper on them, but most were empty. Some of the doors were quite a bit bigger than others, but all of them shorter than a people door.
“Each department has its own shelf for mainframe printouts. The data center guy collects the printouts and puts them on the appropriate shelves from inside the data center area. You just open your door and grab your reports.”
“The doors aren’t labeled,” I protested. “What prevents someone from accidentally, or on purpose, grabbing the wrong reports?”
“You look at the banner on the top page, so you’ll know if it isn’t yours,” my guide said, clearly irritated.
“Some of these doors are pretty big,” I replied, as I opened one of the larger doors, removed the shelf, and crawled through it.
“Hey, that’s a secured area,” my guide exclaimed. “You can’t go in there.”
“I know, but I just did.” I grinned at my guide through one of the windows. He moving toward the people door with his badge ready to swipe it at the reader.
Walking across the room, I stopped and said, “This looks like a check printer. And a stream of blank checks ready to be feed into the printer.”
My guide finally reached me and insisted I leave the area.
“Nope,” I said. “I snuck in here fair and square.”
“I’ll have to call security if you don’t come with me,” my tour guide threatened.
“I’m already here. My name is Mack. Nice to meet you.”
Continued in: Going Behind Door #2