I’ve written before how some periodic reviews provide management with little assurance, but management doesn’t realize how little.
My previous post focused mostly on server access. In this post, I want to look at normal user access.
For example, let’s assume your company has a policy that states that all IDs must be assigned within an Active Directory group. In other words, IDs are assigned to groups, and groups are assigned to assets; IDs should not be assigned directly to an asset.
Assume the control you are testing states that user access is reviewed annually.
Continue reading →
Like this:
Like Loading...
Filed under Audit, Security, Technology
Tagged as active directory, asset, assurance, group, management, MODIFY, periodic, permission, policy, read, review, user, WHAT, WHERE, WHO
It’s 10 o’clock in the cloud. Do you know where all your user IDs are? Are some hidden in the cloud?
Cloud security if often cloudy because it’s not on premise where you can control it easier.
That means you may have powerful user IDs in the cloud that your security team knows nothing about, which means….
Continue reading →
Like this:
Like Loading...
Filed under Audit, Case Files, Technology
Tagged as Audit, cloud, database, hidden, ID, monitor, on premise, policy, Security, system, tone at the top, user
And in unprotected documents.
Lots of passwords. Lots of documents. Lots of easy access.
Continue reading →
Like this:
Like Loading...
Filed under Audit, Humor/Irony, Security
Tagged as administrator, approval, clear text, complex, email, hack, north korea, outlook, password, policy, signoff, skateboard94, sony
If you haven’t determined how server virtualization changes your audit plans, you better get moving. I’m not just talking about a virtualization audit (more on that later), but the audits that you typically do every year or on a multi-year cycle.
For example, if every year you do an audit on all networks, servers, applications, and databases that host your key financial reporting or PHI systems, you’re looking at policies and procedures, configuration management, security (including patching), user access, logging, and so on. But do you first consider whether those assets run on virtualized servers?
Continue reading →
Like this:
Like Loading...
Filed under Audit, How to..., Security, Technology
Tagged as access, admin, Audit, backup, change, citrix, configuration, disaster, ESX, expertise, guest, host, hyper-v, policy, recovery, risk, Security, server, snapshot, Unix, user, virtual, VMWare, Windows, Xen
I was at a client’s site looking for more contract work when the manager of the department started telling me about their great IT security website on their Intranet. She clicks on their random generator password page and shows me how you can generate a block of “approved” passwords, sanctioned by their security department. At the top of the page, a banner read: Select a Strong Password!
Continue reading →
Like this:
Like Loading...
Filed under Humor/Irony, Security, Security Scout
Tagged as generator, letter, number, password, policy, random, Security Scout, special character, strong, weak
CSO magazine had a great article some time ago that I came across again entitled, How Not to Hire an Information Security Officer Who’s on Parole. After it describes some true-life hiring horrors, it provides some good points to remember about hiring:
Like this:
Like Loading...
Filed under Audit, Employment, How to..., Security
Tagged as access, background, check, cso, hiring, mistake, parole, policy, request
In Case File: Audit Server Disappeared, I noted that a friend of mine learned that IT had, on its own prerogative, wiped a server belonging to Internal Audit because “it never appeared to be used.”
Some of you already commented on some of the issues involved in this incident and the normal IT activities that should have prevented this incident (or at least alerted IT that something was wrong). Let’s review those comments and I’ll add some other details and comments.
Continue reading →
Like this:
Like Loading...
Filed under Audit, Case Files
Tagged as 2Hats, asset, Audit, audit monkey, authorization, backup, case file, change, chicken, classification, coffeeking, control, data, detection, disappearing, egg, IT, log, management, monitoring, patch, policy, retention, server, wiping
In Standard (Snake) Oil, I complained about companies that don’t audit according to standards because some treat control owner statements as pure gold, don’t insist evidence be tied back to actual systems, and don’t ask all the appropriate questions.
Here’s a few more questionable practices that I’ve challenged all too recently.
Continue reading →
Like this:
Like Loading...
An example of a serious office policy failure…
SAN JOSE, Calif. — An office worker cleaning a refrigerator full of rotten food created a smell so noxious that it sent seven co-workers to the hospital and made many others ill.
Continue reading →
Like this:
Like Loading...
Lenny Zeltser, of the SANS Internet Storm Center, posted his Three Laws of Behavior Dynamics for Information Security. These laws describe why people follow or don’t follow new security initiatives. Basically, it describes how people react to change overall, but Zeltser focuses on security change specifically.
Continue reading →
Like this:
Like Loading...
Filed under Security
Tagged as 3 laws, behavior dynamics, handler's diary, information security, internet, internet storm center, lenny zeltser, policy, resistance, sans, Security, status quo, threat level, vendor updates, vulnerability
ITauditSecurity 