Tag Archives: failure

Bank’s Change Management Troubles

AuditMonkey has written about the Royal Bank of Scotland’s change management troubles.

Continue reading

5 Comments

Filed under Audit, Technology

Security Failure: Empty Your Garage

garage openerWhen I was visiting a friend, she told me that her garage door opener no longer worked. For once, I did not suspect to find any security failures.

Occasionally, I am wrong.

Continue reading

3 Comments

Filed under Security Scout, Technology

Data Center Failure: Conclusion

conclusion: sad faces

In previous posts, I described how I gained access to the data center area and then the data center proper.

I had bypassed door #1 and door #2.

My new colleagues were not happy.

Continue reading

Leave a comment

Filed under Case Files, Security, Security Scout

Data Center Failure: Going Behind Door #2

drop ceilingIn my previous post, I described a data center failure that I discovered as the newly hired security manager of a prominent company.

In this post, I describe my next adventure.

NOTE: Some of the details below were changed a bit to protect the guilty. I tweaked their noses enough. :)

Continue reading

1 Comment

Filed under Case Files, Security, Security Scout

Data Center Failure

Data Center FailureOne company I worked at had a sad data center failure, and I’m not talking a power outage or a fire or theft.

When I arrived at this company, it had no security department. Few security processes. Little security.

And the company also made two interesting mistakes when it hired me.

Continue reading

2 Comments

Filed under Audit, Case Files, Security, Security Scout

Security Failure: Empty Your Drawers

empty your drawersI was visiting a dear friend recently when I happened upon a security failure.

My friend lives in an upscale, assisted living facility and recently had thousands of dollars withdrawn from her accounts via ATM.

Continue reading

3 Comments

Filed under Security, Security Scout

NFL Sprinkler Interruption a Hack?

NFL sprinkler hack mask

NFL sprinkler hack?

When the sprinkler system caused an interruption of the Miami-Seattle NFL game on Sunday, November 25, no one called it a hack. Neither am I.

But if you heard about the event prior to reading this, did it cross your mind that it could have been a hack? What about other unusual events?

If not, and you’re an IT auditor or a security pro, you should at least consider such things, at least briefly. If not, you might want to check your professional skepticism sensor.

Continue reading

2 Comments

Filed under Security, Security Scout

Internal Attacker Detected: Conclusion

Minutes later, one of the security techs met me at Lynn’s cube with a box that we quickly filled with the contents of her desk: files, CDs, DVDs, notedpads, books, etc. The other help desk analysts in adjacent cubes looked at us with silent questions on their faces.

I noticed that one of them was a new employee that had attended my security presentation in employee orientation last week, so he knew who I was. That meant rumors would spread quickly. While I never enjoyed walkouts, they reminded the staff that security incidents have consequences.

This is a multi-part series. See Internal Attacker Detected: Part 1, Internal Attacker Detected: Part 2, and Internal Attacker Detected: Part 3.

Others on my team had already imaged the old computer and had started imaging the new one across the network as soon as my meeting with Lynn began (by design, she was not told of the meeting beforehand). Both images would be sent off to the Forensics team.

Continue reading

9 Comments

Filed under Case Files, Security, Security Scout

Plan to Test the Test Plan

Always test the test plan and make sure it actually tests the control or risk being assessed. And make sure the tester (especially when you are observing the tester rather than performing the test yourself) actually follows the test plan.

During a segregation of duties (SOD) test for an expense report approval system, an auditor was observing a client perform a test.  The client was supposed to enter his user ID into the Approver field to demonstrate that he could not approve his own expense report.

Continue reading

2 Comments

Filed under Audit

It’s not Business, it’s Personal

I wonder sometimes how many controls fail due to personal issues instead of design and performance issues. In other words, do controls fail more because of communication, turf, and personal issues or is it that the control is poorly designed or not performed?

Continue reading

Leave a comment

Filed under Audit