Every once in a while I question security controls, and the latest one I questioned was security questions.
I’m talking about those questions that financial sites like banking and credit card sites ask you when you log in. Not the ones used to reset your password (although this post applies to them too).
No, this won’t be a rant about the stupid questions that sites give you to chose from, such as your mother’s maiden name or what is your favorite color. I gave up questioning those issues long ago.
Continue reading →
Like this:
Like Loading...
Filed under Security, Security Scout
Tagged as answer, bank, capital, color, credit card, letter, lowercase, maiden name, mother, question, Security, street, uppercase
Always test the test plan and make sure it actually tests the control or risk being assessed. And make sure the tester (especially when you are observing the tester rather than performing the test yourself) actually follows the test plan.
During a segregation of duties (SOD) test for an expense report approval system, an auditor was observing a client perform a test. The client was supposed to enter his user ID into the Approver field to demonstrate that he could not approve his own expense report.
Continue reading →
Like this:
Like Loading...
Filed under Audit
Tagged as auditor, duties, duty, error message, expense report, failure, gain confidence, lowercase, plan, segregation, SOD, test, trick, uppercase
Every once in a while I question security controls, and the latest one I questioned was security questions.
ITauditSecurity 