The Auditor Attack Vector

The phone on the desk buzzed. The CEO picked it up, expecting his assistant to let him know his next appointment had arrived. Instead he was told a person had called and wanted to discuss why his managers were paid less than some of their direct reports.

The CEO was puzzled, and worried, so he accepted the call.

“Did you know that you have programmers making more than some of their managers? ” the caller asked, quoting the specific people and their salaries.

The CEO did know, acknowledged this, but declined to discuss the matter. Instead he asked who was on the phone, and how did they know the salaries of his employees.

The caller declined to give their name, but told him that they had found a USB thumb drive outside on the street and had plugged it into a computer. A number of spreadsheets were on the drive, with one containing the salaries and organizational structure of the company. The called left the story there, promising to mail the drive back to the CEO.

The CEO was upset, and worried, but waited a few days to get a package in the mail. He had been planning to terminate someone for carelessness. However when he opened the package, he realized none of his employees was to blame. Instead, this was a device given to an auditor who was verifying the accounting practices of the company.

I don’t know the rest of the story, but it was given to me by someone that runs a decent sized company. It’s a scary story and shows a concern one that has nothing to do with most of us that work in technology departments. However this does show that there are always holes in our processes and practices. We need to consider the fact that many of the businesspeople we work with value convenience much more than security. We need to be sure we take precautions where possible, such as encrypting all data at rest, and in transit, wherever possible.

It might not be our fault, and it might not be something we’re blamed for, but I certainly would feel some guilt if I had copied the data onto the USB drive without providing additional security, such as encryption or at least a password.



Steve Jones

The Voice of the DBA Podcast

Listen to the MP3 Audio ( 2.2MB) podcast or subscribe to the feed at iTunes and LibSyn.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Editorial and tagged , . Bookmark the permalink.

3 Responses to The Auditor Attack Vector

  1. It really worries me the lax practices that are in play when it comes to information security, so I’m not surprised to see this. I’ve several anecdotal examples which are quite shocking! One would be an external company receiving an encrypted file full of credit card and customer details, and to confirm that they had received the correct file took a screen shot of the opened, unencrypted data and emailed it back for confirmation. Another would be the number of stand up arguments I’ve had with the infosec guys I work with over access to live data which are “accepted” risks the business takes, yet if I log onto an isolated sandbox server to install SQL 2016 as an administrator, you can be sure the same chaps are berating me for logging in to a console as an admin! I’m sure everyone has seen an email at some point where data is encrypted, but the key or password to decrypt is helpfully attached. And then there are always examples of development environments with live data, or development environment where the same service accounts are used as the live system and so on.

    The most annoying part of all this, is that whenever I bring it up with almost anyone, the natural reaction is that I’m just getting in the way of people doing their job. In my opinion, good data and security practices are easy, so long as they’re designed for. However, as soon as corners are cut, that starts getting into being a problem, and before long turns into a massive technical debt – as discussed previously on your blogs.

    P.S. thanks for the blog series, Steve, I really do enjoy reading a technical blog that’s not quite focussed on being really technical all the time!


    • way0utwest says:

      Thanks, Matthew. Glad you enjoy the pieces.

      I agree that often security is maddening and frustrating. I find that I’ve dealt with no shortage of security staff that don’t really understand their job, other than simple enforcement of some mindless rule that impedes more than it protects. I’ve also dealt with people that are so difficult with covering every issue that it severely impedes work to the extent that security overwhelms work.

      There’s some balance here. I think some of it is ignorance, or just naivety, not really understanding the issues. There do seem to be many people, and no shortage of them developing software, that just don’t see the potential for issues. However I’m not sure I agree good security practices are easy. Some are easy to incorporate as habits, some are difficult.


  2. This is why auditors, especially external auditors, should encrypt any collected data and findings. It’s not hard!


Comments are closed.