Search Results for: quote of the weak
As an auditor, I am told all the time by the business that “we have a current project plan that is addressing that risk”, which implies that I shouldn’t waste everyone’s time writing up an audit issue regarding the problem. … Continue reading
The other day I was in a meeting to discuss a new analytics project and discovered the team had no end goal. When the discussion started with the software to be used, I knew they were already off track.
If you are in IT, audit, or security (or any other job requiring data analysis), you should NOT be cleaning data manually. Let me share a recent experience with you…. A young IT auditor texted me at work and asked … Continue reading
According to the following article, the cloud is safer because the cloud data center is bigger than yours and has better fences. Oh, and passwords need to be hard to use so that others can’t use them.
When I read the following in SC Magazine, my brain identified and attempted to process so many issues at once that I experienced multiple memory and neural page faults and felt physical pain:
I’ve been absent from the blog lately due to a number of pressing projects, one which was rebuilding a friend’s Windows XP box after a trojan massacre (and I thought only auditors stabbed the wounded — you should have seen … Continue reading
I was at Menards getting ready for my new garden (see my other Menards adventure). As I was checking out, the cashier scanned a blueberry plant that was packaged in a large paper cup, with a small cluster of leaves … Continue reading
Remember the quote about the “attacker’s perspective?” No one identified the issue in the original quote, but I described it in my update in the original post. Check it out.
A colleague of mine is doing some testing for an audit director that changes her mind frequently on how to deal with audit findings. Occasionally, she is all about nailing control owners who do not have all their ducks groomed … Continue reading
A friend of mine heard this one and passed it on to me: Auditors are those who get to the battlefield after the war is over and stab the wounded.
I don’t like to pick bones with my fellow ISACAeans, but when I saw this in the Journal recently, I had to react. Can you pick out the problem?
During the Olympics, an advertisement for a medication for treating major depressive disorder (MDD) caught my attention. It aired appropriately after I became depressed that Apollo Ohno was disqualified in the speed skating short track:
While I realize many bloggers do “Quote of the Week,” it was Audit Monkey who gave me the idea. Here’s my very first quote: Who uses special characters in passwords? Nobody does that.
Over the years, I think that Skyyler and I have penned some pretty funny lines. If you’re in the mood for some humor, read on and discover why these lines appeared in these posts. Usually, we were making a serious … Continue reading
Last week I was meeting with one of our company’s Accounts Payable clerks, who told me she was not concerned about some upcoming General Ledger changes. 2 changes that were submitted by developers on her behalf. 2 changes she didn’t … Continue reading
I was at a client’s site looking for more contract work when the manager of the department started telling me about their great IT security website on their Intranet. She clicks on their random generator password page and shows me … Continue reading
Since I started Quote of the Weak, I haven’t heard that many good quotes we can share a chuckle over. So, in contrast, here’s a great quote of the strong:
AuditMonkey has written about the Royal Bank of Scotland’s change management troubles.
While commenting on AuditMonkey’s blog, I noted that because companies often don’t do the right thing, auditing is a noble profession. Mainly because we can right some of those wrongs. Then I said…
If you enter a password into a login box and your password disappears, look for it! I’m serious, because it happened again today. Not to me, but to my colleague.
Trend Micro’s Dave Asprey has posted 10 reasons not to virtualize. I generally disagree with all of them (as I’ll explain later), but I think he missed the REAL #1 reason not to virtualize…
If you haven’t determined how server virtualization changes your audit plans, you better get moving. I’m not just talking about a virtualization audit (more on that later), but the audits that you typically do every year or on a multi-year … Continue reading
Check out these categories to find posts that you’re interested in. ACL Audit Blogging CISACase Files Employment Free Free Download How to… Humor/Irony Scripting (ACL) Security Security Scope Security Scout Quote of the Weak Top 10 Uncategorized Popular Posts Teach … Continue reading
Here’s my take on the issues that I found with the following quote from SC Magazine (for more info, see Quote of the Weak (Securing Virtual Servers): We don’t treat the virtualization servers any different than the physical servers when it … Continue reading
Here’s one last call for comments on Quote of the Weak (Securing Virtual Servers). Be the first one to dive in. Be the first on your block. Since no one has commented, does that mean 1) no one knows much about … Continue reading
Hi, welcome to my blog! Blog Focus This blog focuses on technology, information security, and IT audit, but certainly not in that order. Miscellaneous tangents will appear occasionally. My goals for this blog: Tackle audit and security issues, often from … Continue reading
To increase the amount and depth of the analytics performed, steal some agile methods, and apply them to your audits. If you’re not familiar with agile methods, check out the first 5 topics listed here (just click Next at the … Continue reading
In the previous post, Create a Team for Audit Analytics? Part 2, I explored the pros and cons of expecting all auditors to develop a level of data and analytic proficiency. These auditors would continue to do audit testing that involves … Continue reading
I get asked all the time, “How do I get a job in IT audit with little or no experience?” When Michael Onuoha asked me this question (see here), I thought I’d share my response with my readers. You’ll find these … Continue reading
In my previous post, I described a data center failure that I discovered as the newly hired security manager of a prominent company. In this post, I describe my next adventure. NOTE: Some of the details below were changed a … Continue reading
Recently, I ran an import script to import a delimited file into ACL, but the last 10 fields were not imported. And I didn’t know it right away, because I received no error message. In addition (or should I say, … Continue reading
Do you perform appropriate population validation of the data you rely on in an audit? Population validation is simply gaining confidence that the data you are using in your audit contains all the appropriate data for your audit objectives (e.g., … Continue reading
As soon as you create an ACL script, you often have to add to it or edit it. There’s an easy way to do it.
What’s the biggest problem in computer security, according to valsmith at carnal0wnage.attackresearch.com? Well, it’s… Staffing. As the author admits, the post leans toward self-promotion of the company, but it makes many good points and deserves a read and a good … Continue reading
It’s a best practice to prefix all computed fields with “c_” (e.g., c_Region) for the following reasons: 1) Computed fields are not original data, and you should always keep this in mind. You should scrutinize the values in computed fields … Continue reading
Using great titles and intro sentences are so critical to the success of your blog. Not only do they grab the attention of your reader, great titles and introductory sentences seduce search engines like Google into sending you even more … Continue reading