Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
EchelonVigil
Newcomer III
‎07-01-2024 09:51 AM
‎07-01-2024 09:51 AM

Don't Tell Me!!

During a recent consultation with a client regarding a device reformatting, they inadvertently disclosed their password in my presence before the system was even powered on. While the conversation was private, there were others within earshot.

 

I took this opportunity to educate the client on the importance of password security and maintaining confidentiality. Unfortunately, this is not an isolated incident when working with the general public.

 

What are your thoughts?

Reply
9 Replies
emb021
Advocate I
‎07-01-2024 10:34 AM
‎07-01-2024 10:34 AM

Anyone who works in consulting with a wide-range of clients will see this and a wide variety of bad security practices.

Don't be surprised.

Sad thing is, too many people working as IT support for small companies (and their leadership) were never training in basic IT practices.  So you should expect to see similar things and be prepared to educate your clients.

I was a consultant for 7 years with a variety of companies and saw a wide range of bad practices.  Passwords written on monitors.  Papers to be shredded in open boxes.  Networking closets propped open.  IT/Networking equipment mounted on walls that anyone could access.  IT/networking equipment in closes with HVAC systems that could be affected by water leaks.  Straight-cut shredders still in use.  etc etc etc

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
Reply
dcontesti
Community Champion
‎07-01-2024 01:56 PM
‎07-01-2024 01:56 PM

Believe it or not.  I once had an auditor demand to see a password display on a screen (instead of the ********).

 

They failed us on a SoX audit (which we know can have undesired results) as they could not see the 16 character password.

 

Well needless to say that they are no longer an auditor.

 

Even in this day many companies are really unaware of the consequences of sharing too much information.

 

d

Reply
EchelonVigil
Newcomer III
‎07-01-2024 03:32 PM
‎07-01-2024 03:32 PM

That's insane but I'm not surprised. The amount of people who are put in roles they shouldn't be never cease to amaze me.

 

Was the purpose of them requesting to see the password displayed explained or do you think that was a part of the audit?

Reply
dcontesti
Community Champion
‎07-01-2024 04:16 PM
‎07-01-2024 04:16 PM

The purpose of this portion of the audit was never clearly explained but I suspect they did not believe the system parameters that showed the length the password needed to be so they wanted to see it in practice.

 

d

 

Reply
emb021
Advocate I
‎07-02-2024 11:02 AM
‎07-02-2024 11:02 AM

@dcontesti 
There are ways to do this without showing the password.

Most auditors will accept the password parameters setting screen.

OR they can test it by typing in bad passwords and see if the system takes it.

But, yeah, dealing with auditors with little or no technical knowledge is a pain.  Due to their lack of knowledge they ask for unreasonable things and don't catch bad practices because they don't know better.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
Reply
EchelonVigil
Newcomer III
‎07-02-2024 11:44 AM
‎07-02-2024 11:44 AM

That's insane, I would've called all of that into question. Utter madness that is.

Reply
Caute_cautim
Community Champion
‎07-02-2024 04:24 PM
‎07-02-2024 04:24 PM

@EchelonVigilAsk the auditor whether they are willing to sign a risk mitigation letter, which puts the full costs, blame on the auditing company and their individuals, should a compromise occur, as a consequence of their actions.  As stated previously if they are not, then change the Auditing company and report them back to the respective organisation and Ombudsman including ISACA as the sources of the CISA qualification, if they hold this certification at the very minimum.

 

However, in general, the big four, then to use their minions to do the leg work, to reduce costs, and the consulting partner only comes in to arbitrate a bad situation or avoid one.

 

Regards

 

Caute_Cautim

 

 

Reply
EchelonVigil
Newcomer III
‎07-03-2024 07:22 AM
‎07-03-2024 07:22 AM

Always remember, when it doubt, it's about the cost. Company's don't want to pay good money, they want to make it.

Reply
Caute_cautim
Community Champion
‎07-03-2024 06:58 PM
‎07-03-2024 06:58 PM

@EchelonVigil   Tell that to the investigators, insurance company why the organisation did not invest in protective measures....   Whilst the CISO is retrenched or pay-rolled rather than the CEO and associated team.

 

Regards

 

Caute_Cautim

Reply