Recently I was a guest on the Security Justice podcast. It was a really great experience and I got asked a lot of good questions from the host and their live listeners. One question was a request for audit “war” stories. Even though I knew this would be a question and I tried to prep for it, I drew a blank and came up with only a few examples. When I tell audit stories I draw on my 10 years as an auditor for the State of Ohio. All the results from those audits are a matter of public record, and as a matter of decorum I don’t use names of people or places. Since the podcast I have thought of numerous stories I feel are worth telling, and so I will post them here occasionally. They are not all just about audit procedures, as you will see. Here are a few for now.

“A What”

During downtime on a larger audit, I was asked to spend a week at a small school district. The room we were in was a storage closet for the central office that had two desks shoved in a corner amongst stacks of ledgers. The school was on Christmas break so the only people in the building were the office staff, custodians, and the auditors. I was given the quick tour of where to find the restrooms, which for adults was the custodians broom closet, and where the people I needed to speak with sat. An hour into the morning someone came into the office very winded and said something we couldn’t here. A few minutes later the treasurer walked into the closet and stated we should watch out for anything unusual, and to use caution when walking around the building.

The In-Charge was a bit annoyed and asked what constituted something unusual. The response back was not exactly what we had anticipated. “The boa constrictor from the sixth grade classroom room seems to have gotten loose sometime this morning.” The response from myself and my three other colleagues was a collective “A WHAT!” The entire week I was on-site the staff did not locate the snake. On my way out of the building on Friday night the custodian was joking with me and commented how at least their rodent problem had been temporarily solved.

“Come With Me Son”

There are two main cycles in financial audit for local governments. Schools fiscal years run July to June, while most other governments are January to December. Having graduated in May and starting in June I was put right in the middle of school audits. One of my first assignments was at a vocational school so there were students coming in and out all summer long. The treasurer’s office was located right by the school common area, which also served as a cafeteria. The central office was right next to that, but the two offices were not connected and the treasurer did not have a copy machine in his offices. I had just picked up a stack of documents and headed into the central office to make the required copies to “fatten” my work papers. At the time we were required, whether in our regional offices or at a client, to wear a suit which often meant you stuck out like a sore thumb when everyone else wore jeans.

I hadn’t been at the copier more than a minute or two, which required a 4 digit code to run, when a teacher walked up to me. He asked me what I was doing, to which I responded “making copies of some documents.” He then leaned over me and hit the cancel button on the copier. “You need to come with me son, right now” he said. I was a bit shocked, yet I followed him across the office to the superintendent office. He knocked on the door and when the superintendent waved him in, he motioned for me to follow. “I found this student making copies and when I asked what he was doing his response was mocking” explained the teacher. The superintendent looked stunned and then started to laugh. The teacher was extremely embarrassed and apologized profusely when it was explained to him that I was an auditor. When I returned to our work area I told my co-workers about the incident to which my In-charge replied “Yeah, I once was working in a school library and got asked to prom.”


A recap of this weeks #followfriday recommendations:

If you are interested in Response to Intervention, Pyramid of Learning, and Progress Monitoring in education #followfriday @APSPyramid

This trendy canadian deserves a #followfriday for his thoughts on cloudy security, a.k.a @justin_foster

When your are a prolific writer about technology you to can have a monkey wearing glasses, so #followfriday @georgevhulme

To help shape the mind of a young infosec hopeful and linux lover #followfriday @biosshadow

You better #followfriday @kaospunk as he is quietly taking over the world, even though he says otherwise.

#FF #notacon edition @froggynotacon @tygernotacon @rogueclown @tottenkoph @travisgoodspeed @myrcurial @chrisclymer @agent0x0


The Recap

A resident requested officers warn door to door solicitors on rude and persistent requests. The companies were warned.

The Lesson

As spring approaches the number of door to door solicitors will increase. I try to be nice enough, but given the potential for fraudsters and unruly behavior I don’t tolerate much after I politely ask someone to leave. When I leave my house I expect to be asked to buy things, but in my home I am not to keen on the experience. The digital experience is not much different.

When you visit a website, especially one providing free content, you expect advertising. What you don’t expect is for a website to take over your browsing experience with a bunch of pop up ads. Granted this doesn’t happen as frequently as it used to, but some sites still allow their advertisers to do this. This experience causes you to install add-ons to your browser to stop the activity, or better yet block ad sites altogether. Of course the alternative is to not visit those sites again, which is bad for their business.

Shortly after visiting some sites, the emails start coming. Without filtering, your inbox starts to look like a virtual junkyard and is unmanageable at best. You have to resort to things like a private and a public email account just to get things done. You could also use filtering software or find a managed service that keeps things tidy. This of course leads you to having to whitelist the actual service providers you do want to hear from. Ultimately you have a big kludge of a mess. For organizations this problem gets amplified even more, but they have more resources and expertise than the average home user.

In the door to door case, the sales person just is giving the same old pitch. In the digital world there can be an attempt to collect enough data on you to appeal to your needs. Both are effective, otherwise neither would still exist. Unlike the real world though, you digital home is invaded all the time with no single police officer to call. You don’t let just anyone through your front door, be just as careful with the digital front door.


Here is a recap of my follow Friday recommendations on twitter for today:

You should #followfriday @ChrisJohnRiley because he does IT security stuff across the pond, which is like europe or something 😀

Plug the words hackerspace, legal, and tomfoolery into the #followfriday generator results in @rogueclown she <3 #notacon

When you #followfriday @SecBarbie you run the risk of getting your systems owned or run over with Harley, or both.

NIST, FISMA, bah. @danphilpott eats them for breakfast, which is a good reason to #followfriday him.

A man that single handedly is d-listing tech people, @andrewsmhay desrves a #followfriday

If Bruce Lee had web-fu his name would @jeremiahg, so give him a #followfriday

So you think you can debate PCI? #followfriday @mckeay and sharpen your skillz.


In one week I will be joining the guys from Security Justice for their March podcast. We will probably talk security, auditing, Notacon, and maybe even some Haiku. At least that is what @chrisclymer said, who knows this could be an ambush set by @securid to get me back for heckling him in the past. 🙂

If you haven’t listened to these guys before I suggest you do. They live stream the show (here) starting at 9pm and take questions from IRC at irc.freenode.net #securityjustice.

I will be taking mini @matthewneely, @securid, @agent0x0, and @chrisclymer so you can expect some pictures of the antics. I hope you can join in on March 17, which happens to be St. Patrick’s Day. Nothing could possibly go wrong! Right?


The Recap

A woman was arrested after leaving a grocery store where she place a roast in her purse.

The Lesson

In high school I worked for the largest retail chain store in my town. As a stock boy I got to know the security people very well because their office was right next to the receiving docks. Of course they were actually called “Loss Prevention” but we called them security. Since I knew them I could spot them when they posed as normal shoppers in areas where items of high value were kept on the sales floor. This manual surveillance was in addition to the many security cameras that dotted the ceiling of the store. The use of the people to enhance surveillance means there where weak spots in the “automated” controls. Perhaps a box on top of shelves that blocks the cameras line of sight. So where is this story going.

We place many controls around customer and proprietary information to prevent the loss caused by a breach. We have firewalls, routers, IDS, IPS, NAC, and the list could go on. However, have we considered the controls around the physical presence of that information. For example if a person needs to print off a list of customer accounts to perform a task, how do we ensure that list doesn’t “walk out.”  How do we ensure, if it is against policy to print confidential or proprietary information, that information isn’t getting printed. Also, with the size and capacity of flash drives, what prevents an employee with proper access from copying the information to external media. Just like the woman in the story attempted to conceal the item of value in a purse.

Securing data in digital form is critical, because if someone doesn’t have to walk into a facility to get it, they decrease their chances of capture. However, if a person can simply walk out with the information undetected why wouldn’t they eventually try. Consider all avenues of potential for data to leave your organization, or someone may be having steak on the house.


Here is a recap of my follow Friday recommendations on twitter for today:

When you #followfriday @McGrewSecurity you are going old skool, SCADA style.

Definetly #followfriday @wimremes, he talks some eurotrash with a cool accent.

To #followfriday @armorguy will lead to high cholesterol from the southern fried security he dishes.

Podcast to #followfriday @SFSPodcast @eurotrashsec @CyberCrime101 @SecuraBit and @SecurityJustice

A #followfriday baking tip: @mortman makes #fail taste so good, just try the bread!

For #followfriday @gattaca is the Infosec torch bearer…srsly he carried the Olympic torch, plus he enlightens with bricks

Just #followfriday @securityintern and you will know why, COFFEE STAT!

If you want good geek fiction you better #followfriday @jaysonstreet, plus he has medieval swords.