Last week I was meeting with one of our company’s Accounts Payable clerks, who told me she was not concerned about some upcoming General Ledger changes.
2 changes that were submitted by developers on her behalf.
2 changes she didn’t know anything about, so she didn’t consider them her problem.
This post is a Quote of the Weak post. For more info on these types of posts, see the Quote of the Weak topic under About.
Continue reading →
Like this:
Like Loading...
Filed under Audit, Case Files, Quote of the Weak, Security, Security Scope
Tagged as accounts payable, acl, change, change control, data, general ledger, GL, sox, system, ticket
It’s 10 o’clock in the cloud. Do you know where all your user IDs are? Are some hidden in the cloud?
Cloud security if often cloudy because it’s not on premise where you can control it easier.
That means you may have powerful user IDs in the cloud that your security team knows nothing about, which means….
Continue reading →
Like this:
Like Loading...
Filed under Audit, Case Files, Technology
Tagged as Audit, cloud, database, hidden, ID, monitor, on premise, policy, Security, system, tone at the top, user
When checking system access, make sure you look at all the different items that affect the user’s access. For example, the user might need one or more of the following:
- Application ID
- Application role or group
- Membership in an local server group, Active Directory (AD) group, or UNIX Group
- Access to the application’s share and/or folder on the server
- Database ID
- Database role, including access permissions (read/write)
- Other permission (from a home-grown application code or enterprise identify management system)
Continue reading →
Like this:
Like Loading...
Filed under Audit, How to..., Security, Technology
Tagged as access, active, AD, admin, application, Audit, batch, confidential, contractor, data, database, directory, employee, file, financial, folder, format, generic, group, hipaa, HR, ID, LDAP, log, membership, new, non-personal, OS, PCI, permission, personal, role, script, setup, share, sox, system, Unix, user
If you probe networks, systems, and applications, you need a GOOJ card to protect yourself and your job.
In How to Stay Out of Jail, I recommended that anyone who scans, probes, or pokes networks, systems, or devices should always carry a get-out-of-jail (GOOJ) card. I also provided some reasons why such a card is critical.
Continue reading →
Like this:
Like Loading...
Filed under Audit, How to..., Security, Technology
Tagged as administrative access, application, audit committee, configuration, cracking, dumpster diving, encryption, exploits, forced entry, GOOJ, impersonation, investigations, logging, monitoring, network, probe, scanner, Security, sniffer, social engineering, system, tools, vulnerabilities, weaknesses