The Auditor Attack Vector

  • Comments posted to this topic are about the item The Auditor Attack Vector

  • Where is this company that has programmers who earn more than their managers?

    This story makes it sound as if this was a bad thing!

    I have long thought that the highly-skilled element of any company should be the one that gets remunerated most, not just the ones that get to decide who gets what.

  • @sean

    I think the top managers and directors will always make the most money. I believe that our company will certainly employ plenty of Project Managers etc that earn much less than the more technical talent. It's definitely a good thing, and very likely at the moment, at least with talented and experienced programmers in very high demand in the UK. If you need a job we are pretty much constantly hiring!

  • 1. Find out who this employee is who picked up a thumb drive and fire them. It's a known ploy used by hackers to gain access to your network for ransom/data theft.

    2. I agree with the above - We need to get away from thinking managers must earn more than their reports. The world has changed.

    3. Oh and I forgot, CEO should probably resign / let themselves be publicly shamed by the rest of the company for putting the thumb drive in their computer too. Especially from an untrusted/anonymous source.

    So I would say - regardless of what security you might put on the data, there's always people who can be socially engineered to put a dodgy USB drive into their computer. That's the weakest link.

    🙂

    Giles

  • I have decided to skip the points covered above as we do not know the full details and issues on what we speculate occurred has been, well, covered above.

    For me, the central point of the editorial is that someone was allowed to take unencrypted data offsite. The company should know better as should the auditors. These are two separate issues on the same point.

    The first issue should already be covered by company policy. This scenario still falls under that and, unless there are other reasons, I would prefer education over a sacking. Otherwise we tend to replace someone who may have been good at their job but made this mistake probably for the last time with someone who may be able to be good at the job but are more likely to make this mistake in the future.

    As for the auditors I am less altruistic. This is a common process for them and they should be recommending to their clients that either data is evaluated on site within existing security measures or should be transferred securely. I would expect more from them and make it abundantly clear.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Had that been medical data instead of payroll, it could have been far worse for the CEO.

  • "Did you know that you have programmers making more than some of their managers?, " the caller asked, quoting the specific people and their salaries.

    It's not surprising that senior level IT staff would earn at, or even somewhat more than, mid-level managers. Smart CEOs understand that, so no apology or controversy there. However, had the caller drawn attention to issue that female staff in equivalent positions were consistently paid less than male counterparts, well then that's an "Oh, shite!" moment.

    The CEO did know, acknowledged this, but declined to discuss the matter. Instead he asked who was on the phone, and how did they know the salaries of his employees.

    Big mistake. Don't acknowledge anything potentially embarrassing, unless you're required to by law. The first thing the CEO should have said was: "Who is this?", and then he should have hung up.

    However when he opened the package, he realized none of his employees was to blame. Instead, this was a drive given to an auditor that was verifying the accounting practices of the company.

    Perhaps one of his employees is to blame after all. Who the hell provides thumb drives with data dumps to auditors? I've assisted in external audits (routine yearly audits for industry or SOX compliance), and what happens is that IT provides executive management with reports containing only specific columns conforming to a standard format, reports which specifically don't include personal identifiers or other attributes (like salary) that fall outside the scope of the audit. Executive management and legal review the reports and then hand them off to the auditor. The CEO didn't know what data had been handed off to the auditors?

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Upper management doesn't always know what happens with auditors. I've been in Fortune 100 audits where subject matter experts dealt with auditor details and provided data to auditors prior to the final reports for execs.

    I heard about this first hand, and it's not surprising. There are senior and junior auditors as well, and they may request and get data. Certainly the auditor is at fault here for not securing a thumb drive, and I didn't ask about the repercussions for the auditors.

    I also didn't ask whether the CEO plugged in the drive or had someone check it first. Certainly that's a consideration, but that isn't the point. Being aware and securing data at rest, especially in devices that can be moved, is important.

  • Plugging an unknown USB drive into your computer is one of the daftest things anyone can do. Besides the risk of viruses and malware there were some around earlier this year that destroyed a person's PC. Basically that had a number of capacitors inside that would build up a large charge and then zap the PC through the USB port. This was repeated until the PC or USB stick were more or less destroyed!

    You have been warned!

  • Agree on all the above, but wanted to add that "planning for unexpected transparency" isn't a bad idea. Keep only the data you need to keep, play fair with employers and customers and vendors, and be ready to deal with the "how" the leak happened more than the "what". I personally think managers should know what their team makes and I don't think it's wrong/unexpected to have someone on the team that makes more than a manager, in part because that's just how life works and in part because most managers are eligible for performance bonuses beyond those offered to team members (I hate to use the 'individual contributor' phrase!).

    It does make you appreciate - all over again - how hard security is when you have the big dog plugging in an unknown drive.

  • It doesn't happen just with audits either. At a previous gig with a company staffed by very technically capable people, a company that is in the software business, I once stumbled upon a spreadsheet on the network with compensation information on it. No encryption, no password protection, just plain text for anybody to see. I reported it immediately. But the point is, for reasons of convenience or laziness or something else, human nature often beats the best security practices. Social engineering works for a reason.

    Hakim Ali
    www.sqlzen.com

  • With regards to compensation, when I managed 10 DBAs, 9 of them made more than me.

  • mjh 45389 (12/1/2015)


    Plugging an unknown USB drive into your computer is one of the daftest things anyone can do. Besides the risk of viruses and malware there were some around earlier this year that destroyed a person's PC. Basically that had a number of capacitors inside that would build up a large charge and then zap the PC through the USB port. This was repeated until the PC or USB stick were more or less destroyed!

    You have been warned!

    So, rather than the usual Trojan software attack, you're talking about Trojan hardware; the device itself has been designed with capacitors for the sole purpose of releasing an electric charge into the PC ? That's very interesting.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Steve Jones - SSC Editor (12/1/2015)


    With regards to compensation, when I managed 10 DBAs, 9 of them made more than me.

    Something like HR or financial data, especially when it's been leaked externally, can be incomplete or misleading. For example, the data in question could have contained only the base salary for each employee. Managers often get paid an additional performance bonus based on departmental milestones and metrics, even if their direct reports are only paid base with perhaps only a more moderate fixed bonus. That's the pitfall of attempting to draw conclusions from raw data taken out of context, something like the media's interpretation of the Sony, US State Department, or Ashley Madison hacks; we really don't know what we're looking at or if we have the complete picture.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Hmm... this sounds like a general issue with hiring any third party contractor auditor or otherwise, they have much less reason to care if they lose data than a permanent employee, I'm really not seeing anyone to blame besides the auditor here and if he's already moved on there's not a lot that can be done.

Viewing 15 posts - 1 through 15 (of 21 total)

You must be logged in to reply to this topic. Login to reply