Here at Redspin, Inc we’ve done security assessments at over 100 financial institutions. As such, we get to see how other companies do their security assessments, and are regularly entertained by some of the more creative reports left in their wake.
All of the following are real world Genius Moves that we’ve seen made by prior auditors.
Security Assessment Genius Move #10:
Failure to “search and replace” the bank name in a boilerplate document. That’s right. Bank of Smallville got a leftover report that was originally created for the Bank of Metropolis (okay, not the banks’ real names, but these things really happened).
Security Assessment Genius Move #9:
Printed out a report that was so long and repetitive, that the client couldn’t even find the recommendations.
Security Assessment Genius Move #8:
These banks could find the recommendations. Easily. Because every single recommendation was, “Buy our product.” We’d name the banks that got this report, but we don’t have enough space. (Sorry. That was catty.)
Security Assessment Genius Move #7:
Infected the client with a virus during the security audit. No, seriously. They infected a client with a virus during the security audit. We love that. Basically, all we had to do in our security audit was not accidentally kill a man, and we would be the golden boys.
Security Assessment Genius Move #6:
Directly pasted hundreds of pages of Nessus output into a report. Like reading the phone book, only without as much plot.
Security Assessment Genius Move #5:
On a wireless security assessment, included ALL wireless access points in range of the test. The bank passed, but the neighboring deli and hair salon turned out to be vulnerable. Do you want your hair-cut information hacked?
Security Assessment Genius Move #4:
Included a list of 65,000 computer ports in order to pad report. I had a girlfriend like that, once.
Security Assessment Genius Move #3:
Downloaded the trial version of a commercial pentesting tool off the net, and then forgot to remove the words “TRIAL VERSION, NOT FOR COMMERCIAL USE” from the report. Ethics, schmethics.
Security Assessment Genius Move #2:
The auditor didn’t really know what he was doing – so he actually asked for help from the bank’s IT person to run his auditing tools. We heard later that the auditor changed professions, and became a proctologist.
And, finally, mostly because we like the poetry of this finding:
The #1 Security Assessment Genius Move:
An auditor’s findings – “There are no Policies and Procedures for creating Policies and Procedures.”
By: Brian Hayes