Audit Week 1: Asset Tracking

The audit we are going through starts with a self assessment questionnaire.  This document, which is quite lengthly, goes through all of the things the auditor will cover.  Some items are simply questions with no proof required, others are questions with a document that we have to produce to verify the answer.  We started with the asset tracking section.

Do you have the following:

  • List of All Hardware Assets
  • List of All Mobile Devices
  • List of All Software
  • List of Key Suppliers and Vendors
  • Network Diagram

We had most of these.  However, there are a few that we had to update or in one case, create.  We never had a diagram of our network.  This is something we have on all of our clients but I have to admit I never stopped to ask this to be created for our main office.  We have firewall certified engineers, Cisco-trained and certified professionals on staff, we have security certified professionals, and numerous other certifications.  Our network runs great and is more detailed than almost any we see in the field; yet we never documented it.  What if our primary internal network manager left?  I would have to grab another resource off of a project and get control of our internal network.  After all, I can’t drive my kids to school if I don’t put gas in the car.

So this week, I have a homework assignment.  Everyone go through their documentation and develop a plan to fill in the gaps.  Never allow your business to be dependent on someone’s head knowledge alone.  You clients depend on you to be there when they need something.  Not having these documents is an often overlooked risk to the business.

Getting Audited

Our firm has voluntarily requested an audit of our security practices by an independent third party.  We started this process as a result of a conversation during lunch with a prospective client.  While we were busy going through what services we could offer the client, she responded with a poignant question, “If you are watching me, who is watching you?”.  What a great question!  We were honest and said that isn’t something we had previously considered but we immediately recognized the why behind it.   Forty-eight hours later I was researching firms that could provide this service to us and about a week later we entered into an engagement.

Over the next month we will go through the same process we have done for our clients over years.  We will make sure all of processes inside our company are sound and as secure as we think it is.  We are making sure every department is practicing what we have stated as our best practices in internal meetings.  I am so enthusiastic to go through this process.

I will use this BLOG over the next month to share my thoughts and feeling about going through a security audit from a client’s perspective.  I hope at the end of this we have discovered ways to improve our services by seeing this through a clients eyes.

Start with Design – But Sometims You Can’t

It may seem best to start with a perfect secure network design from the ground up.  Take into account all aspects of security and process and the end result could be amazing.  Building something from scratch often seems easier than fixing an existing system or process.  But if we are limited by our unique circumstances not building new doesn’t mean we should just stay where we are.

Sometimes we can start fresh and create something; learning from our history and tapping into our knowledge garnered over the years. Othertimes, you have to renovate.  Both ways have the ability to produce an amazing end result.  Secure design can be achieved in any scenario.  You just have to start the process.

Are you ready for EMV?

Starting in October 2015 financial liability for card-present counterfeit losses will shift from issuing banks to merchants if merchants receive EMV-enabled cards but have not yet installed EMV-capable terminals. This is a significant change in how merchants will accept payment and whose liability it is.

If you are not planning on deploying EMV-enabled terminals before then you need to understand this shift. All of the financial burden will now be on you.

If you are planning on deploying these terminals you need to understand the technical requirements to make this switch possible.

2015 will be a significant year in the security space and businesses had better prepare. Get an assessment, get a plan, and get secured.

Password Reuse

As soon as I got to the office this morning I read a blog post about Starwood Preferred guests getting their passwords hijacked by scammers.   Using a tool found on a known malicious site, the tool attempts to login to Starwood accounts, then transfer the points balance to another Starwood account.  The scammers can also sell access to these confirmed Starwood accounts.  70,000 Starwood points sells for $3, for example.  They are using these tools on other sites too, this was just one that was mentioned.

The tool uses usernames and passwords stolen from other data breaches.  The tool works because many people use the same username and password across multiple sites.  Websites usually have our email as a username so they just need the password, they then test against passwords associated with that email address and bullseye, access to your account.  This is called Password Reuse and attackers know that most people are predictable.

This post is not meant to send a message saying change your password, or use different passwords for multiple sites, like you always hear on the news after a breach occurs.  I think everyone knows that but human nature is to keep things easy.  It occurred to me that this password reuse problem is likely more prevalent in sites that we frequent and login to often.  Banks, travel rewards, kids’ school sites, Amazon, etc.  We like it easy so if we can make things quick and simple we most likely will.

Further, I believe that this problem is being fueled by the rise in Apps on our mobile devices.  Having quick and easy access to your bank, Amazon, and stocks on our phones makes things very quick and easy.  So the need for a password we can remember is escalated even more.  I can buy a book on Amazon while walking around Barnes and Noble with my kids and I can trade stocks while waiting on my drink at Starbucks.  Using a password I know easily and can type on the phone quickly makes things even quicker.  Password tools such as Last Pass only add to the complexity for many users so they go unused.  It requires an extra step most people are not willing to take, so people being people we continue this predictable behavior allowing tools that rely on this password reuse to work.  These scammers are counting on one thing, people will be people and people are a creature of habit.

The day will come when scammers will have to answer for their actions.  But until then, they will continue to exploit our weaknesses and cause us more stress.

Reverse the Questions

When is the last time you asked your IT provider what security measures have they implemented? How is the data on their network secured? When was their last pen test? What was the result? Why will my business be safe with you?

Being an IT security provider is about more than just having a great pitch and certifications. It is about actually living and practicing what they believe. Ask your providers the tough questions. See what they say and see if they are qualified to give you security advice.


The fear of having an insecure business can be a powerful motivator for some people, for others it leads to inactivity.  This is not unlike the fear of taking a test for fear you may not pass.  But businesses simply don’t have a choice anymore but to take a deeper look into their security and how their IT departments are handling, or not handling, issues.

I took the last few weeks off of writing for the Christmas season.  Just since my last post here is a brief list of the companies with new or possible breaches.

  • Chick-fil-A
  • One Stop Parking
  • Microsoft Xbox
  • Sony Playstation
  • Staples – Breach Expanded
  • Pak ‘N Fly

The problem with this list is I only named companies that are household names.  Big companies we have all heard of.  People in my business do this often.  By us naming a company you have heard of when discussing security gives us attention and credibility with our audience.  The truth is, this list is nothing more than a drop in the bucket.  We never hear about the thousands of other breaches taking place each day in schools, churches, law firms, local banks, doctor offices, convenient stores, parking decks, accounting firms, local government, recreation leagues…

Not getting your network looked at by a third party isn’t saving you any money.  It is only delaying the inevitable.

Target and Home Depot weren’t the practice filed, it was the major leagues.  Smaller companies is where they perfected their skills. And they packed up and moved before you knew they were there.


Get every new post delivered to your Inbox.