Tag Archives: confidential

How to Audit User Access

How to Audit User AccessWhen checking system access, make sure you look at all the different items that affect the user’s access. For example, the user might need one or more of the following:

  • Application ID
  • Application role or group
  • Membership in an local server group, Active Directory (AD) group, or UNIX Group
  • Access to the application’s share and/or folder on the server
  • Database ID
  • Database role, including access permissions (read/write)
  • Other permission (from a home-grown application code or enterprise identify management system)

Continue reading

5 Comments

Filed under Audit, How to..., Security, Technology

Easiest Way to Steal Confidential Data

A lot of company data is lying around unprotected, making it very easy to steal. No, I’m not talking about picking up other people’s documents at the printer. Stealing printouts isn’t hard, but it can be risky, especially if the printer is a busy one. Besides, it has 2 other problems:

  • Your chances of picking up confidential data are low at any given time.
  • The person will look for the printout and wonder what happened to it.

There’s a much better way that is fast, easy, simple, raises no suspicion, and is basically impossible to detect, if you do it correctly. Can you think of what it is?

Continue reading

6 Comments

Filed under How to..., Security

Searching for Secrets

I was visiting a friend at large, public company doing some benchmarking when we had to schedule several meetings with IT to gather data. My friend “Meako” starting entering attendees into his online calendar to see whether we could get some important meetings scheduled during the next week.

Continue reading

1 Comment

Filed under Audit, How to..., Security, Security Scout

How to do an Easy Server Share Audit

Okay, so you’re not up to a wastebasket audit? Too demeaning, too sneaky, too many sticky candy wrappers? How about a simple server share audit?

Many companies have shared drives, and then they have “over-shared” drives, those locations where anyone who needs a space to store files that they share with a couple departments. Or perhaps your company just doesn’t lock their shares according to the least privilege principle.

Continue reading

1 Comment

Filed under Audit, How to...

Should Audit Have Access to IT Systems?

I’ve been involved in a number of debates lately regarding whether auditors should have READ access to IT systems and data. Surprisingly, I’ve found that there appears to be very little middle ground – auditors either get READ access to whatever they request or get no access at all.

Continue reading

4 Comments

Filed under Audit

Security That Doesn’t Work

I despise security controls that don’t work or provide actual security, and especially despise those controls whose only function appears to be the irritation of the human condition. Here’s my short list:

Continue reading

Leave a comment

Filed under Security