The spookiest night of the year is right around the corner, and most of us are getting ready with jack-o-lanterns, spider webs, and of course, hordes of candy. But in Security Compliance, we face our particular brand of nightmares all year long. So in the spirit of Halloween, we bring you the second edition of horror stories from Compliance leaders who will be haunted by these ghastly incidents until the day they die (umm, OK, until they pass their next audit!).
Horror Story Number 1 - Ask before you Axe!
Terry O’Daniel, Head of Governance, Risk, and Compliance at Digital Analytics Solution provider Amplitude, describes his Compliance nightmare when a previous company’s leadership brought in an Internal Audit (IA) function led by a (supposedly) technically oriented manager. After a month on the job, O’Daniel’s scare began when the IA declared a significant deficiency in Engineering’s change management process( as per NIST SP 200-218 PW 7.2- Perform code review based on organization’s coding standards). After many sleepless nights, he learned that the IA came to this conclusion after a single incident that ultimately revealed that the IA was unaware of the difference between the testing types (functional, unit, integration testing). Instead of consulting properly with the team, the clueless IA made an unjustified assumption based on one Engineer’s comment. Because of his lack of understanding of the process and quick judgment, the IA immediately and erroneously lost trust in the organization.
Lesson learned: A little humility goes a long way. Ask questions and build relationships before becoming critical. Don’t judge a ghost until you’ve spent a whole day under a white sheet.
Horror Story Number 2 – Haunted by the Dead OS!
Ken Fishkin, Information Security Manager at the law firm Lowenstein & Sandler and President of ISC2 NJ, was tasked with assessing a prominent New York City non-profit against NYDFS 23 CRR-NY 500.2 - Use defensive infrastructure to protect entity’s information systems. His team was shocked to discover that all the organization’s workstations were still running Windows 7 long after Microsoft declared the OS dead in the water. Without security support, the non-profit fell victim to a phishing scheme, which resulted in ransomware infecting every computer on its system. It took weeks to restore some of their critical systems, all the workstations had to be completely replaced, and their servers rebuilt from scratch. A true horror story!
Lesson learned: Ensure all workstations are updated to your organization’s required software version with the necessary anti-virus protection. Don’t settle for an outdated version of even the scariest campfire story. Even Stephen King updates his novels once in a while.
Horror Story Number 3 – The Service Account Killer!
Kerwyn Velasco, Senior Product Marketing Manager at anecdotes, Secretary of ISACA NJ Chapter, tells a terrifying tale heard from an Active Directory Admin in a West Coast company. Instead of complying with AICPA TSC SOC2 CC6.6 - Require additional authentication and credentials when accessing the system outside the boundaries, a team member took a shortcut when creating service accounts used by applications by labeling them after Star Wars characters so that they could be quickly identified. His plan worked a little too well! Turns out that threat actors also heard of Han Solo, Darth Vader, Chewbacca, and other famous icons (imagine that!). They managed to brute force one of the service accounts (at this time, enterprise MFA implementation wasn't a thing) and extricate several terabytes of data before the company realized this ghastly error.
Lesson learned: Security through obscurity never works. Always use tried-and-true controls to secure systems accessed outside your periphery. Never open your back door on All Hallow’s Eve to anyone dressed like the Grim Reaper.
Stay Calm …
If you’re a Compliance leader hiding your head in a coffin instead of facing the monsters knocking at your door, consider adopting a Compliance OS. It’s the key to eliminating horror stories and your best bet for drastically reducing the time and resources invested in Compliance activities.
From all of us here at anecdotes, witching you all a Spook-tacular Halloween!
About the author
Contact us
