Quote: Not Concerned about General Ledger Changes

Last week I was meeting with one of our company’s Accounts Payable clerks, who told me she was not concerned about some upcoming General Ledger changes.

2 changes that were submitted by developers on her behalf.

2 changes she didn’t know anything about, so she didn’t consider them her problem.

This post is a Quote of the Weak post. For more info on these types of posts, see the Quote of the Weak topic under About.

 

Continue reading →

Do you have User IDs Hidden in the Cloud?

It’s 10 o’clock in the cloud. Do you know where all your user IDs are? Are some hidden in the cloud?

Cloud security if often cloudy because it’s not on premise where you can control it easier.

That means you may have powerful user IDs in the cloud that your security team knows nothing about, which means….

Continue reading →

How to Audit User Access

When checking system access, make sure you look at all the different items that affect the user’s access. For example, the user might need one or more of the following:

• Application ID
• Application role or group
• Membership in an local server group, Active Directory (AD) group, or UNIX Group
• Access to the application’s share and/or folder on the server
• Database ID
• Database role, including access permissions (read/write)
• Other permission (from a home-grown application code or enterprise identify management system)

Continue reading →

What Needs to be on a GOOJ Card?

If you probe networks, systems, and applications, you need a GOOJ card to protect yourself and your job.

In How to Stay Out of Jail, I recommended that anyone who scans, probes, or pokes networks, systems, or devices should always carry a get-out-of-jail (GOOJ) card. I also provided some reasons why such a card is critical.

Continue reading →