AI Marketing Failure/Follow-up Failure

I’ve received an artificial intelligence (AI) marketing failure in the mail recently. Well, I think it was an AI failure; it sure was a marketing failure.

About a month ago, I received a letter saying that I could save a lot of money on my 15-year mortgage. It gave my current rate, the rate I could get if I refinanced, and the amount of the new payment.

Continue reading →

Advertisement

Download SharePoint Data w/o Rights

At a company I worked at recently, I ran across a Sharepoint site and wondered whether I could download data that I wasn’t supposed to see.

Now I understand the purpose of SharePoint and company intranets is to share data, but even then, some data should be restricted to a limited number of people.

So I decided to check (before doing things like this, you better know How to Stay Out of Jail).

Continue reading →

Will Robotics (RPA) Replace ACL?

In my last post, I described Why Internal Auditors Should Care about Robotic Process Automation.

In this post, I’ll explore whether RPA can replace analytic packages like ACL, IDEA, R, and Power BI.

That might seem like a strange question, but a few managers and a VP have asked me just that recently. Here’s how I’ve answered it.

Continue reading →

Bank’s Change Management Troubles

AuditMonkey has written about the Royal Bank of Scotland’s change management troubles.

Continue reading →

Security Failure: Empty Your Garage

When I was visiting a friend, she told me that her garage door opener no longer worked. For once, I did not suspect to find any security failures.

Occasionally, I am wrong.

Continue reading →

Data Center Failure: Conclusion

In previous posts, I described how I gained access to the data center area and then the data center proper.

I had bypassed door #1 and door #2.

My new colleagues were not happy.

Continue reading →

Data Center Failure: Going Behind Door #2

In my previous post, I described a data center failure that I discovered as the newly hired security manager of a prominent company.

In this post, I describe my next adventure.

NOTE: Some of the details below were changed a bit to protect the guilty. I tweaked their noses enough. :)

Continue reading →

Data Center Failure

One company I worked at had a sad data center failure, and I’m not talking a power outage or a fire or theft.

When I arrived at this company, it had no security department. Few security processes. Little security.

And the company also made two interesting mistakes when it hired me.

Continue reading →

Security Failure: Empty Your Drawers

I was visiting a dear friend recently when I happened upon a security failure.

My friend lives in an upscale, assisted living facility and recently had thousands of dollars withdrawn from her accounts via ATM.

Continue reading →

NFL Sprinkler Interruption a Hack?

NFL sprinkler hack?

When the sprinkler system caused an interruption of the Miami-Seattle NFL game on Sunday, November 25, no one called it a hack. Neither am I.

But if you heard about the event prior to reading this, did it cross your mind that it could have been a hack? What about other unusual events?

If not, and you’re an IT auditor or a security pro, you should at least consider such things, at least briefly. If not, you might want to check your professional skepticism sensor.

Continue reading →

Internal Attacker Detected: Conclusion

Minutes later, one of the security techs met me at Lynn’s cube with a box that we quickly filled with the contents of her desk: files, CDs, DVDs, notedpads, books, etc. The other help desk analysts in adjacent cubes looked at us with silent questions on their faces.

I noticed that one of them was a new employee that had attended my security presentation in employee orientation last week, so he knew who I was. That meant rumors would spread quickly. While I never enjoyed walkouts, they reminded the staff that security incidents have consequences.

This is a multi-part series. See Internal Attacker Detected: Part 1, Internal Attacker Detected: Part 2, and Internal Attacker Detected: Part 3.

Others on my team had already imaged the old computer and had started imaging the new one across the network as soon as my meeting with Lynn began (by design, she was not told of the meeting beforehand). Both images would be sent off to the Forensics team.

Continue reading →

Plan to Test the Test Plan

Always test the test plan and make sure it actually tests the control or risk being assessed. And make sure the tester (especially when you are observing the tester rather than performing the test yourself) actually follows the test plan.

During a segregation of duties (SOD) test for an expense report approval system, an auditor was observing a client perform a test.  The client was supposed to enter his user ID into the Approver field to demonstrate that he could not approve his own expense report.

Continue reading →

It’s not Business, it’s Personal

I wonder sometimes how many controls fail due to personal issues instead of design and performance issues. In other words, do controls fail more because of communication, turf, and personal issues or is it that the control is poorly designed or not performed?

Continue reading →