cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
EchelonVigil
Newcomer III

Don't Tell Me!!

During a recent consultation with a client regarding a device reformatting, they inadvertently disclosed their password in my presence before the system was even powered on. While the conversation was private, there were others within earshot.

 

I took this opportunity to educate the client on the importance of password security and maintaining confidentiality. Unfortunately, this is not an isolated incident when working with the general public.

 

What are your thoughts?

9 Replies
emb021
Advocate I

Anyone who works in consulting with a wide-range of clients will see this and a wide variety of bad security practices.

Don't be surprised.

Sad thing is, too many people working as IT support for small companies (and their leadership) were never training in basic IT practices.  So you should expect to see similar things and be prepared to educate your clients.

I was a consultant for 7 years with a variety of companies and saw a wide range of bad practices.  Passwords written on monitors.  Papers to be shredded in open boxes.  Networking closets propped open.  IT/Networking equipment mounted on walls that anyone could access.  IT/networking equipment in closes with HVAC systems that could be affected by water leaks.  Straight-cut shredders still in use.  etc etc etc

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
dcontesti
Community Champion

Believe it or not.  I once had an auditor demand to see a password display on a screen (instead of the ********).

 

They failed us on a SoX audit (which we know can have undesired results) as they could not see the 16 character password.

 

Well needless to say that they are no longer an auditor.

 

Even in this day many companies are really unaware of the consequences of sharing too much information.

 

d

EchelonVigil
Newcomer III

That's insane but I'm not surprised. The amount of people who are put in roles they shouldn't be never cease to amaze me.

 

Was the purpose of them requesting to see the password displayed explained or do you think that was a part of the audit?

dcontesti
Community Champion

The purpose of this portion of the audit was never clearly explained but I suspect they did not believe the system parameters that showed the length the password needed to be so they wanted to see it in practice.

 

d

 

emb021
Advocate I

@dcontesti 
There are ways to do this without showing the password.

Most auditors will accept the password parameters setting screen.

OR they can test it by typing in bad passwords and see if the system takes it.

But, yeah, dealing with auditors with little or no technical knowledge is a pain.  Due to their lack of knowledge they ask for unreasonable things and don't catch bad practices because they don't know better.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
EchelonVigil
Newcomer III

That's insane, I would've called all of that into question. Utter madness that is.

Caute_cautim
Community Champion

@EchelonVigilAsk the auditor whether they are willing to sign a risk mitigation letter, which puts the full costs, blame on the auditing company and their individuals, should a compromise occur, as a consequence of their actions.  As stated previously if they are not, then change the Auditing company and report them back to the respective organisation and Ombudsman including ISACA as the sources of the CISA qualification, if they hold this certification at the very minimum.

 

However, in general, the big four, then to use their minions to do the leg work, to reduce costs, and the consulting partner only comes in to arbitrate a bad situation or avoid one.

 

Regards

 

Caute_Cautim

 

 

EchelonVigil
Newcomer III

Always remember, when it doubt, it's about the cost. Company's don't want to pay good money, they want to make it.

Caute_cautim
Community Champion

@EchelonVigil   Tell that to the investigators, insurance company why the organisation did not invest in protective measures....   Whilst the CISO is retrenched or pay-rolled rather than the CEO and associated team.

 

Regards

 

Caute_Cautim