It’s 10 o’clock in the cloud. Do you know where all your user IDs are? Are some hidden in the cloud?
Cloud security if often cloudy because it’s not on premise where you can control it easier.
That means you may have powerful user IDs in the cloud that your security team knows nothing about, which means….
Continue reading →
Like this:
Like Loading...
Filed under Audit, Case Files, Technology
Tagged as Audit, cloud, database, hidden, ID, monitor, on premise, policy, Security, system, tone at the top, user
When checking system access, make sure you look at all the different items that affect the user’s access. For example, the user might need one or more of the following:
- Application ID
- Application role or group
- Membership in an local server group, Active Directory (AD) group, or UNIX Group
- Access to the application’s share and/or folder on the server
- Database ID
- Database role, including access permissions (read/write)
- Other permission (from a home-grown application code or enterprise identify management system)
Continue reading →
Like this:
Like Loading...
Filed under Audit, How to..., Security, Technology
Tagged as access, active, AD, admin, application, Audit, batch, confidential, contractor, data, database, directory, employee, file, financial, folder, format, generic, group, hipaa, HR, ID, LDAP, log, membership, new, non-personal, OS, PCI, permission, personal, role, script, setup, share, sox, system, Unix, user
If you probe networks, systems, and applications, you need a GOOJ card to protect yourself and your job.
In How to Stay Out of Jail, I recommended that anyone who scans, probes, or pokes networks, systems, or devices should always carry a get-out-of-jail (GOOJ) card. I also provided some reasons why such a card is critical.
Continue reading →
Like this:
Like Loading...
Filed under Audit, How to..., Security, Technology
Tagged as administrative access, application, audit committee, configuration, cracking, dumpster diving, encryption, exploits, forced entry, GOOJ, impersonation, investigations, logging, monitoring, network, probe, scanner, Security, sniffer, social engineering, system, tools, vulnerabilities, weaknesses