Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

IT Auditor Borrowed a Partitioned Encrypted USB of mine

  • 19-12-2013 10:05pm
    #1
    Registered Users, Registered Users 2 Posts: 1,426 ✭✭✭


    She also proceeded to leave a lot of sensitive company documents on it relating to our systems? What should I do.... should I bring it to my managers attention... I know I could be potentially be in the wrong for giving her the usb key (but then again theres nothing stopping her going out and buying her own), but also there is a side of sloppiness of her not deleting the information off of it.

    Edit: the documents were in the unencrypted part


Comments

  • Closed Accounts Posts: 18,268 ✭✭✭✭uck51js9zml2yt


    in my opinion most definitely


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    We'll need more details.

    My read so far:

    External IT Auditor comes into company, asks to borrow USB disk(why is there no universal name for them yet?), half is encrypted, half is not, she leaves company files on unencrypted part with the guy who she borrowed it from who presumably works in IT for the company she is auditing.

    What is she auditing? PCI? ISO27k1?

    That aside, I'm not sure of the problem? If you are using strong crypto on your USB stick, you dont need to worry. The docs she looked at stayed on the stick. What are you worried about?

    Edit:

    You said its sensitive information. Is it above your security clearance? If so, then report to your manager straight away.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    syklops wrote: »
    You said its sensitive information. Is it above your security clearance? If so, then report to your manager straight away.

    Yep.

    If not, just delete and move on. It's stuff you already have access to.


  • Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    Khannie wrote: »
    If not, just delete and move on.
    I wouldn't say that, I'd have serious questions of the competence of an auditor who leaves the organisation they are auditing open to potential loss of sensitive data. At the very least whomever in the organisation is responsible for InfoSec should be made aware of it.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Blowfish wrote: »
    I wouldn't say that, I'd have serious questions of the competence of an auditor who leaves the organisation they are auditing open to potential loss of sensitive data. At the very least whomever in the organisation is responsible for InfoSec should be made aware of it.

    Unless I'm missing something, there is no potential loss of data. I agreed with reporting if the data is outside the USB key holders security level.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    Khannie wrote: »
    Unless I'm missing something, there is no potential loss of data. I agreed with reporting if the data is outside the USB key holders security level.
    It depends on how paranoid you are I suppose. For us, storing any non-public data in an unencrypted format is at the very least going to result in a slap on the wrist. The fact that nothing occurred from it in this instance is irrelevant, it's the fact that they are using poor practices and could lead to potential future data loss if say during the next audit, the auditor popped the USB key in their pocket while on lunch and then it was lost/stolen.

    This is why I said the InfoSec guys should know so they can at the very least give out to the auditor so it doesn't reoccur.


  • Registered Users, Registered Users 2 Posts: 1,426 ✭✭✭Neon_Lights


    Hi guys,

    thanks for the help, have read through everything and some interesting points. What I did in the end was read through the files which contained a lot of internal business system information, Access controls, server and port mappings to the applications, and sensitive data extracts from system tables. Safe to say I deleted them as that our systems admins and dba's should know. I did not bring it to the attention of the person in charge of IT Security yet but will do in the new year.

    I do feel partially to blame it was sloppy on my part admittedly, but thought it was awfully sloppy on the part of the Auditor. It makes me question the value of the practice seeing as a "professional" in one if nor more areas highlighted above would leave a window open for a customers data being exploited. Not sure which area of IT audit they are doing, its not my job to know, although saying that it makes me wonder should I find out.

    As for being paranoid, I do think you have to take this point of view with information security in this day and age. If information like this gets into the wrong hands it can do reprehensible damage to a company, both in terms of its IT and day to day operations.

    Edit: The information out of my remit for the particular systems they were viewing, but I do have access rights to it on other systems which I operate.


  • Registered Users, Registered Users 2 Posts: 78,580 ✭✭✭✭Victor


    It is quite possible this was part of the test.

    You were meant to report it to your manager.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Im curious what the OPs role is in the company and the circumstances in which the auditor borrowed the USB drive from him.

    I go into companies a lot for Pen Testing, PCI compliance checks and so on. Usually, you are put sitting next to the IT team, or the InfoSec team. Is it possible the auditor assumed the OP was a member of the IT or InfoSec teams and thought the documents would be safe with him.


  • Registered Users, Registered Users 2 Posts: 11,205 ✭✭✭✭hmmm


    I've rarely (with only a few exceptions) come across an IT auditor that had much of a clue about security and I'm not surprised one wouldn't be able to figure out how to use an encrypted partition. Tick the box merchants, straight out of college for the most part obsessed with password length and other security settings that were relevant in the 80s.


  • Advertisement
  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    hmmm wrote: »
    I've rarely (with only a few exceptions) come across an IT auditor that had much of a clue about security and I'm not surprised one wouldn't be able to figure out how to use an encrypted partition. Tick the box merchants, straight out of college for the most part obsessed with password length and other security settings that were relevant in the 80s.

    I agree on all counts except password length. Still very much relevant. I get irritated with complicated password requirements when length really is all that matters.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    syklops wrote: »
    I agree on all counts except password length. Still very much relevant. I get irritated with complicated password requirements when length really is all that matters.

    Two dictionary words might make a long password, but it's potentially very weak. I generally think everyone should use keepass or similar.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Khannie wrote: »
    Two dictionary words might make a long password, but it's potentially very weak. I generally think everyone should use keepass or similar.

    Not two. Four or five at least.

    Im not convinced with keepass. I tried writing my own, but I couldnt give it the time it needed.

    The truth is, in a lot of cases the length and configuration of the password, is irrelevant. What matters is the hash it gets stored as.

    Anyway we digress.


  • Registered Users, Registered Users 2 Posts: 2,021 ✭✭✭ChRoMe


    syklops wrote: »
    Not two. Four or five at least.

    Im not convinced with keepass. I tried writing my own, but I couldnt give it the time it needed.

    The truth is, in a lot of cases the length and configuration of the password, is irrelevant. What matters is the hash it gets stored as.

    Anyway we digress.

    Indeed

    password_strength.png


  • Registered Users, Registered Users 2 Posts: 4,331 ✭✭✭Keyzer


    Blowfish wrote: »
    I wouldn't say that, I'd have serious questions of the competence of an auditor who leaves the organisation they are auditing open to potential loss of sensitive data. At the very least whomever in the organisation is responsible for InfoSec should be made aware of it.

    Agree 100%...
    hmmm wrote: »
    I've rarely (with only a few exceptions) come across an IT auditor that had much of a clue about security and I'm not surprised one wouldn't be able to figure out how to use an encrypted partition. Tick the box merchants, straight out of college for the most part obsessed with password length and other security settings that were relevant in the 80s.

    Agree 100%...

    OP: You should've reported it to your information security department. If it was part of a test, which I doubt it was, then you've failed. Regardless, this kind of incompetence should not be tolerated from a company your employer is, most likely, paying a small fortune to for this service.


  • Registered Users, Registered Users 2 Posts: 9,175 ✭✭✭Doge


    Keyzer wrote: »
    OP: You should've reported it to your information security department.

    If they have one that is! I have yet to work for a company that has someone working in information security!


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Have we established what the the auditor was auditing yet?

    Was it PCI? ISO 27k1? Something else?


  • Registered Users, Registered Users 2 Posts: 4,331 ✭✭✭Keyzer


    waveform wrote: »
    If they have one that is! I have yet to work for a company that has someone working in information security!

    Report it to the IT Manager, if no IT Manager then a senior manager from the business...


Advertisement