At a company I worked at recently, I ran across a Sharepoint site and wondered whether I could download data that I wasn’t supposed to see.
Now I understand the purpose of SharePoint and company intranets is to share data, but even then, some data should be restricted to a limited number of people.
So I decided to check (before doing things like this, you better know How to Stay Out of Jail).
In my last post, I described Why Internal Auditors Should Care about Robotic Process Automation.
In this post, I’ll explore whether RPA can replace analytic packages like ACL, IDEA, R, and Power BI.
That might seem like a strange question, but a few managers and a VP have asked me just that recently. Here’s how I’ve answered it.
AuditMonkey has written about the Royal Bank of Scotland’s change management troubles.
When I was visiting a friend, she told me that her garage door opener no longer worked. For once, I did not suspect to find any security failures.
Occasionally, I am wrong.
In previous posts, I described how I gained access to the data center area and then the data center proper.
I had bypassed door #1 and door #2.
My new colleagues were not happy.
In my previous post, I described a data center failure that I discovered as the newly hired security manager of a prominent company.
In this post, I describe my next adventure.
NOTE: Some of the details below were changed a bit to protect the guilty. I tweaked their noses enough. :)
One company I worked at had a sad data center failure, and I’m not talking a power outage or a fire or theft.
When I arrived at this company, it had no security department. Few security processes. Little security.
And the company also made two interesting mistakes when it hired me.
I was visiting a dear friend recently when I happened upon a security failure.
My friend lives in an upscale, assisted living facility and recently had thousands of dollars withdrawn from her accounts via ATM.
NFL sprinkler hack?
When the sprinkler system caused an interruption of the Miami-Seattle NFL game on Sunday, November 25, no one called it a hack. Neither am I.
But if you heard about the event prior to reading this, did it cross your mind that it could have been a hack? What about other unusual events?
If not, and you’re an IT auditor or a security pro, you should at least consider such things, at least briefly. If not, you might want to check your professional skepticism sensor.
Minutes later, one of the security techs met me at Lynn’s cube with a box that we quickly filled with the contents of her desk: files, CDs, DVDs, notedpads, books, etc. The other help desk analysts in adjacent cubes looked at us with silent questions on their faces.
I noticed that one of them was a new employee that had attended my security presentation in employee orientation last week, so he knew who I was. That meant rumors would spread quickly. While I never enjoyed walkouts, they reminded the staff that security incidents have consequences.
This is a multi-part series. See Internal Attacker Detected: Part 1, Internal Attacker Detected: Part 2, and Internal Attacker Detected: Part 3.
Others on my team had already imaged the old computer and had started imaging the new one across the network as soon as my meeting with Lynn began (by design, she was not told of the meeting beforehand). Both images would be sent off to the Forensics team.
I wonder sometimes how many controls fail due to personal issues instead of design and performance issues. In other words, do controls fail more because of communication, turf, and personal issues or is it that the control is poorly designed or not performed?