Business Owner vs Business IT vs IT Supplier - disaster recovery fun#1

This is another classic story that may raise a smile for some security pros out there....

Business Owner guy: <* shouting over the phone *> What's happening? Why can't my customer access the application?

Business IT bloke:  The whole IT Supplier's data center is currently down. It has something to do with the earthquake that happened 10 minutes ago. Seems like the data center was badly hit by the quake. I managed to get hold of the service manager and he has arranged an emergency meeting in 15 minutes to update us on the situation.

After 15mins, in the emergency meeting...

Business Owner guy: IT Supplier chap, I understand you have a lot to deal right now, but my application is business critical. When can you get it up again?I'm losing like 10K per minute here!

Business IT vs IT Supplier Fun#2 - setting data classification

Last month, I wrote a story about BIT vs ITS on who should be the one setting the security requirements... well, as you may have guessed, the saga shall continue. This time, it's about data classification.


The Storybrooke Post today's headlines: XYZ Company fined 100Mil by Storybrooke State for non-compliance with Data Security Act 1337

Business IT bloke: What the heck is this? <* smashing the paper on the table *> . After our last meeting, we have given you all the security requirements for our system. How come we are still non-compliance with that Data Security Act? I believe we have a breach of contract here!
IT Supplier chap: I don't think so. We have carried-out and protected your data in accordance with your security requirements. The recent audit report carried-out by XYZ Group Internal Audit department confirms that. <* showing the report to BIT bloke *>

Application Owner vs Information Security fun#1 - data flow security

Have you ever met an old stubborn mainframe guy that just can't think outside of his archaic box? I bet you did. This is a story about this guy I met sometimes ago..... (My friend Adriano called them "The Dinosaur". BTW, if you time, you should check out his piece on this.)

Application Owner dude: We are using mainframe and we have tight ACL in place. No one can access the data inside. It's a very secure environment. I don't see any security issues here... That web interface is just a front-end for customer to see their order status...We developed this one ourselves and manage the user accounts. It's not even open to public or guest, by the way....

Information Security lad: Well... we see that there are other internal applications interfacing with this mainframe as well. How do you ensure these interfaces are secure?

Application Owner dude: Again. As I have said and stressed for so.... many times. We have strong and tight ACL in place. Those interfaces are connecting to our mainframe with their own credentials and we make sure they can only access their part of data... <* keep bragging about how fantastic ACL works on Mainframe *>

Information Security lad: <* I need to do more to than just talking to this guy to show him that ACL alone is not enough *> We going to run some test.....

Application Owner dude: Go ahead lad... No one ever broken into our mainframe before. I'll bet my every pint of beer on that.

Senior Manager vs Information Security Fun#3 - on cloud services

1 year ago, in a ABC company not too far away....

Senior Manager mate: <*talking to the Board members*> I'm pleased to announce that we managed to save 100K by outsourcing our storage place to cloud service provider JKL... with this, we also reduce our IT spending as we don't need as many IT support personnel for our IT system as before. Another advantage is that, now we can access our data anywhere and anytime.... blah..blah...

6 months ago, in that very same ABC company.....

Senior Manager mate: <*talking to the Board members*> I'm pleased to announce that we managed to save another 50K by moving to another cloud service provider FGH.... blah.. blah..

3 days ago, still at that ABC company....

Information Security lad: Senior Manager sir, have you read the headlines today? It says "DEF company found ABC company data on JKL's cloud storage assigned to them"......

Share - 5 Scary Types of Security Professionals You Will Meet in Your Career

This one is written by a good friend of mine. It's a great piece and I'm certainly of the same view :)

5 Scary Types of Security Professionals You Will Meet in Your Career - by Adriano Dias Leite

5 – The NO-Master
4 – The By-The-Book Preacher
3 – The Dinosaur
2 – The Technology-Solves-It-All
1 – The paranoid

Which one are you? ;) 

My 2 cent: 4 – The By-The-Book Preacher reminds me of certain external auditor that like to quote "according to this ISO standard... according to this "statement" blah blah blah.... no wonder people hate auditors and opined that they are just bunch of stupid fella...

Read more here - http://www.myinfosecjob.com/2012/04/5-scary-types-of-security-professionals-you-will-meet-in-your-career/

Ain't security fun? ;)  

Fun with Lock Screen Policy

This one is based on a true story.....

Information Security lad: <* walking around the building and saw that most of the staffs "forgot" to lock their workstation's screen while they are away from their desk *> hmm.... I have sent many bulletins and reminders regarding this, but seems like they still don't get it. I have to do something.... I think my HR sis can help...

Information Security lad went to his HR friend and they work out an awareness "campaign"....

3 days later...

Information Security lad: <* walking around the building and saw a PC left without screen lock. He quickly sat down and open the email program *>. This going to be fun... I'm going to write an email...

Information Security vs Senior Manager Fun#2 - Admin right for "VIP" user

Here is another deja vu.....

Senior Manager mate: Love, have you got that report finished? I need it before lunch to present it to the Board.
Personal Assistant love: Sir, not yet. I tried to install that reporting software you gave me but it just failed... I tried it many time but it keeps telling me something like "insufficient right"... hell I know what's that mean...

Senior Manager mate:  Ah... I remember that.. something to do with admin right that IT folks set. Why these IT folks keep making my life harder each day!  <*picking up the phone and call the IT Supplier chap*> Can you come here immediately? I need you to install a reporting software on my PA's PC immediately.
<* IT Supplier chap arrived 5 minutes later*>

Senior Manager mate: Give my P.A the admin right. I need her to do other reports with other software and I don't like the need to call you every time I need to do so. I insist.
IT Supplier cap: If that you want Sir, please sign this admin right request form.... but before that, you should know that having admin right could increase the risk of virus infection....
Senior Manager mate: <* interrupting IT Supplier chap*> Yeah.. I know all that stuff... just get it done now!

Information Security vs Senior Manager Fun#1 - on BYOD

6 months ago...in a XYZ company far far away..

Senior Manager mate: You security guys put tons of security stuffs on my Windows laptop. It takes 15 minutes just to boot-up. Now you are telling me you want to put another piece of compliance software inside? Damm! I don't want to use this Windows shit anymore. See my Mac there. There is no virus attacking Mac. Mac is safe and in less than 5 minutes, I can already use it.
Information Security lad: Sir, the security software were installed to ensure your laptop is secure.. blah..blah.....
Senior Manager mate: Nah! I'll just use my Mac and iPad. Anyway, I know that BYOD policy has been approved as I'm part of the reviewer.
Information Security lad: In that case, please sign this exception form sir... <* explaining the risk of BYOD etc etc and in his head: well, I've done my job, I told you the risk and you accept it, I'm just gonna move on *> 

3 days ago.... still in that far far away XYZ company...