Companies need to create a help desk for data, similar to the help desk they created for hardware, software, application, network, and user problems.
Can you imagine if companies didn’t have a computer help desk and each department had figure out their own computer issues? If each department had to find, load, configure, and troubleshoot their own hardware and software?
But isn’t that how most companies operate when it comes to data and data projects?
Filed under Audit, Data Analytics, How to...
This is the second of 3 posts; this post describes the audit, some speed bumps, and the audit results.
Read the first post here, which provides the background on the audit and the audit’s scope.
Filed under ACL, Audit, Case Files, Data Analytics, Scripting (ACL)
Test how much you know about automation technologies by taking the job automation quiz at Financial Management magazine.
Filed under Audit, Free, Security, Technology
At a company I worked at recently, I ran across a Sharepoint site and wondered whether I could download data that I wasn’t supposed to see.
Now I understand the purpose of SharePoint and company intranets is to share data, but even then, some data should be restricted to a limited number of people.
So I decided to check (before doing things like this, you better know How to Stay Out of Jail).
Filed under Audit, Excel, How to..., Security, Security Scout, Technology
Recently, a reader named Porak asked me what careers IT auditors can move to when they leave auditing (see the original question here).
I couldn’t find much on the Internet on this topic, but there’s a lot of options.
I’ve actually worked in quite a few of the areas mentioned below…
Filed under Audit, Employment, How to..., Technology
It’s 10 o’clock in the cloud. Do you know where all your user IDs are? Are some hidden in the cloud?
Cloud security if often cloudy because it’s not on premise where you can control it easier.
That means you may have powerful user IDs in the cloud that your security team knows nothing about, which means….
Filed under Audit, Case Files, Technology
It finally happened: I fell prey to a phishing email.
I actually clicked a link.
At work, no less. Not good.
Filed under Audit, Employment, Humor/Irony
If you like Dilbert cartoons or big data, you might enjoy Dilbert’s adventures in data analysis, data mining, data privacy, security, and dealing with a dumb manager.
Filed under Audit, Data Analytics, Humor/Irony
I had to get that database fast.
After a long security team meeting, garnished with lots of pepperoni and green olive pizza, we divided the staff into 2 teams. Team A started scanning and probing the target department’s servers in search of vulnerabilities that would provide us with admin access over the network.
Team B started planning a physical intrusion in case Team A failed.
After a couple hours, I was notified that the vulnerability team came up short. None of the identified vulnerabilities could be used to escalate our permissions.
A member of the physical intrusion team called maintenance and requested help from a specific maintenance guy: Zeke. The security team member said that we “needed Zeke’s help locating an electrical breaker panel” in a certain department.
This is the fourth post in a series. See Behind Locked Doors: Part 3. The next post will be the conclusion.
Filed under Audit, Case Files, fraud, Security, Technology
This time, it was my turn to call someone for help.
The phone rang half a ring before I heard a familiar “Hello?” on the other end.
“Hi, James, it’s Mack. I need a favor from you, and I need today, before 5 pm.”
“Not urgent, huh?”, James teased.
“Not really, I just need it today. And I need you to keep it quiet,” I warned.
This is the second post in a series. See Behind Locked Doors: Part 1.
Filed under Audit, Case Files, fraud, Security, Technology
It all started when the phone rang, which was typical.
Typical in the days when I was a security manager…
“Information Security, Mack here,” I said, as I continued to read the magazine in front of me.
“Hey Mack, this is Leeda. I need your help,” the voice said, as my mind started coming back online.
Leeda was a manager in Internal Audit; when I heard from her, it usually meant I had to carve a few weeks out of my schedule. Fast.
Filed under Audit, Case Files, fraud, Security, Technology
Windows 10 has a new feature called Wifi Sense that allows you to share wifi network access with others without sharing the wifi passkey – kinda.
I don’t see any sense in using it; too risky, and rather unnecessary.
Filed under Security, Technology
Effective April 15, 2015, the CISSP Common Body of Knowledge (CBK) is changing, which affects the CISSP exam and CPEs.
Filed under Certification, Security
ISC2, the organization that awards the CISSP certification, provides 1 FREE webcast about the 10 CISSP security domains, as well as several FREE webcasts about the CISSP concentrations.
Filed under Certification, Security
I consulted with a company that implemented a new GRC package, and unfortunately they are using an application designed for GRC to do audit workpapers.
That wasn’t the only move that was questionable…
Filed under Audit, Security, Security Scout, Technology
I just found some more FREE CISSP review material and practice exams. One exam is 100 questions, the other 250.
Filed under Certification, Free, Free Download, Security
When I was visiting a friend, she told me that her garage door opener no longer worked. For once, I did not suspect to find any security failures.
Occasionally, I am wrong.
Filed under Security Scout, Technology
One company I worked at had a sad data center failure, and I’m not talking a power outage or a fire or theft.
When I arrived at this company, it had no security department. Few security processes. Little security.
And the company also made two interesting mistakes when it hired me.
Filed under Audit, Case Files, Security, Security Scout
I was visiting a dear friend recently when I happened upon a security failure.
My friend lives in an upscale, assisted living facility and recently had thousands of dollars withdrawn from her accounts via ATM.
Filed under Security, Security Scout
ISC2.org, the organization that grants the CISSP certification, has a great, online, FREE global security resource guide.
No membership, certification, or log-in required!
Update 1-11-14: See Kim White’s comment below about availability of this resource. If it is made public, I will link to the new version. The “remove this post now” comment makes me wonder if it’s coming back for public consumption*. – Mack
Filed under Audit, Free, Free Download, Security
ISACA has a free glossary of IT, audit, and security terms that is not only helpful in studying for the CISA exam, but is a good reference guide for new and experienced auditors.
Filed under Audit, Free, Security, Technology
I recently ran into some unneighborly security. It happens all the time to those of us who know how to build, upgrade, secure, and troubleshoot hardware and software.
I’m over at my neighbor’s house and he says, “Hey, you work with computers, so can you take a look at mine?”
There goes the afternoon.
Filed under Security, Security Scout, Technology
If you’re an IT auditor (or want to be one) and don’t have any audit certifications, which certification should you get, the CISA or the CIA? If you want to get both, which one do you get first?
Full disclosure: I have the CISA, but not the CIA. Back when the CIA was 4 exams, I studied for all the CIA exams except the financial exam, but ended up not taking any of the exams. I also have the CISSP.
Filed under Audit, Certification, Security, Technology
IT admins and IT auditors often don’t see eye-to-eye, and they don’t usually think their goals are similar.
The IT auditor just has to work a little harder to convince the IT admin of that. I’ve worn both hats, so I know it can be done.
Twitter said that it was hacked again on Friday, 2/1/13, and attackers gained access to 250,000 accounts and passwords.
Twitter says the passwords were encrypted, the intrusion was limited, and and everyone’s taxes are going down soon (okay, I was kidding about the last one). It’s always hard to sort out what is true and how much of the truth is told, so regardless of what Twitter says, change your password.
Every once in a while I question security controls, and the latest one I questioned was security questions.
I’m talking about those questions that financial sites like banking and credit card sites ask you when you log in. Not the ones used to reset your password (although this post applies to them too).
No, this won’t be a rant about the stupid questions that sites give you to chose from, such as your mother’s maiden name or what is your favorite color. I gave up questioning those issues long ago.
Filed under Security, Security Scout
What’s the biggest problem in computer security, according to valsmith at carnal0wnage.attackresearch.com? Well, it’s…
Staffing.
As the author admits, the post leans toward self-promotion of the company, but it makes many good points and deserves a read and a good pondering.
A friend of mine received the following email on Friday, 2 full days after the LinkedIn attack was made public, titled “Important update regarding your LinkedIn password”. Here’s the text she received, addressed to her by her first and last name:
[see UPDATE below]
Filed under Security
We all know that LinkedIn was hacked and lost at least 6.5 million hashed passwords, or at least that’s how many were was posted. Besides changing passwords, is anyone thinking about their LinkedIn lock-down/security settings? What about other social media? See further below instructions for locking down LinkedIn, Facebook, Twitter, and Google+.
I recently found a Sarbanes-Oxley (SOX) Space Lazer (sic) on a network security diagram. No kidding. The following items also appeared:
Filed under Humor/Irony, Security, Technology
A while back when I worked in IT security, an internal attacker popped up on our radar…
I answered the phone and heard a tech from the anti-malware team say, “I think we have a problem, Mack. Got some time to come down and see what I found?”
Filed under Case Files, Security, Security Scout
Trend Micro’s Dave Asprey has posted 10 reasons not to virtualize.
I generally disagree with all of them (as I’ll explain later), but I think he missed the REAL #1 reason not to virtualize…
Filed under Technology, Top 10
If you haven’t determined how server virtualization changes your audit plans, you better get moving. I’m not just talking about a virtualization audit (more on that later), but the audits that you typically do every year or on a multi-year cycle.
For example, if every year you do an audit on all networks, servers, applications, and databases that host your key financial reporting or PHI systems, you’re looking at policies and procedures, configuration management, security (including patching), user access, logging, and so on. But do you first consider whether those assets run on virtualized servers?
Filed under Audit, How to..., Security, Technology
