As an auditor, I am told all the time by the business that “we have a current project plan that is addressing that risk”, which implies that I shouldn’t waste everyone’s time writing up an audit issue regarding the problem.
It means that the risk isn’t as big as it appears.
The other day I was in a meeting to discuss a new analytics project and discovered the team had no end goal.
When the discussion started with the software to be used, I knew they were already off track.
If you are in IT, audit, or security (or any other job requiring data analysis), you should NOT be cleaning data manually.
Let me share a recent experience with you….
A young IT auditor texted me at work and asked for some Active Directory user account data that I capture automatically every week, using some scheduled ACL scripts.
If you’re not familiar with my ‘Quote of the Weak’ series, I described it briefly in About. For a list of posts in this series, see here.
Over the years, I think that Skyyler and I have penned some pretty funny lines.
If you’re in the mood for some humor, read on and discover why these lines appeared in these posts.
Usually, we were making a serious point in a comical way.
While commenting on AuditMonkey’s blog, I noted that because companies often don’t do the right thing, auditing is a noble profession.
Mainly because we can right some of those wrongs.
Then I said…
According to the following article, the cloud is safer because the cloud data center is bigger than yours and has better fences. Oh, and passwords need to be hard to use so that others can’t use them.
I read a blog post that quoted a security professional saying, ‘culture is defined as the beliefs we accept without question.’ The blogger, also a security professional, went on to say that his goal is to generate a new security culture, a security culture that “everyone accepts and makes a natural part of their activities.”
That definitely got me going, so I left a comment that explained why I disagreed with that statement.
Here’s my take on the issues that I found with the following quote from SC Magazine (for more info, see Quote of the Weak (Securing Virtual Servers):
We don’t treat the virtualization servers any different than the physical servers when it comes to security. We treat them the same. Security is security.
Here’s one last call for comments on Quote of the Weak (Securing Virtual Servers). Be the first one to dive in. Be the first on your block.
Since no one has commented, does that mean 1) no one knows much about virtual security, 2) no one cares much about virtual security, or what? I never bite anyone’s head off.
I’ve give the topic a little more air and then I’ll explain my reaction to the quote I found.
Read it and reply here.
Don’t forget the good blog reader’s rule:
I came. I saw. I commented.
Update 9/9/10 —
I shared my thoughts and concerns in Securing Virtual Servers.
Update 10/29/10 —
Oh, I get it–you left virtual comments. Real funny.
When I read the following in SC Magazine, my brain identified and attempted to process so many issues at once that I experienced multiple memory and neural page faults and felt physical pain:
I’ve been absent from the blog lately due to a number of pressing projects, one which was rebuilding a friend’s Windows XP box after a trojan massacre (and I thought only auditors stabbed the wounded — you should have seen the legions on that box).
When I delivered the newly minted OS and applications, my friend informed me that another set of email spam was sent from her Hotmail account at 3:20 am that morning. She asked me whether I was working on the PC at the time. I told her that not only was her PC turned off at that time, it was unplugged.
I was at Menards getting ready for my new garden (see my other Menards adventure). As I was checking out, the cashier scanned a blueberry plant that was packaged in a large paper cup, with a small cluster of leaves poking out the top.
Some people do not understand that both diamonds and the Internet are forever. I found this statement in a discussion on LinkedIn:
I am excited about 2 interviews next week even though I’m not fully qualified for either one.
Remember the quote about the “attacker’s perspective?” No one identified the issue in the original quote, but I described it in my update in the original post. Check it out.
A colleague of mine is doing some testing for an audit director that changes her mind frequently on how to deal with audit findings. Occasionally, she is all about nailing control owners who do not have all their ducks groomed and in a row. At other times, she pushes Audit to work as hard as possible to pass all controls.
A friend of mine heard this one and passed it on to me:
Auditors are those who get to the battlefield after the war is over and stab the wounded.
I don’t like to pick bones with my fellow ISACAeans, but when I saw this in the Journal recently, I had to react. Can you pick out the problem?
During the Olympics, an advertisement for a medication for treating major depressive disorder (MDD) caught my attention. It aired appropriately after I became depressed that Apollo Ohno was disqualified in the speed skating short track:
While I realize many bloggers do “Quote of the Week,” it was Audit Monkey who gave me the idea. Here’s my very first quote:
Who uses special characters in passwords? Nobody does that.