Undercover
Undercover: A Case of Help Desk Failure
How a lack of coordination between departments at a large bank opened up a big security hole, and what we did about it.
By Anonymous
June 11, 2009 — CSO —
A s the engagement leader on security assessment projects for our clients, I frequently run into what I call the "IT Myopathy Syndrome."
Quite a few well-meaning and high-placed individuals worry about protecting their IT assets and forget a basic principal: In "Capture the Flag," if you capture the flag, the game is over. [Related: Physical and IT Security Convergence: The Basics]
Here's an example of one such case.
On a recent jaunt to a client -- a large national bank -- my team and I were received warmly. After the mutual introductions were concluded and before the ceremonial taking off of the jackets, we were shown to a conference room where our team was to be based during the first phase of our four-week project. [Related: Here Come the Auditors: Judgment Calls]
Once we sat down, plugged in our computers (to check e-mail, of course) and started feeling a bit more comfortable, the director of IT security walked into the room and started a conversation with us.
Since the accounting group was our "sponsor" and our scope was allegedly not discussed with him, he wanted to know what we were planning to do, in what order, when and how.
A few minutes later he blurted out: "I don't know why you are here at all. We got everything under control. We got firewalls, we do penetration testing. No vulnerabilities to find."
"Oh, no!" I thought, "Another engagement full of political battles between the sponsors and other principals. We best stay out of it."
Continuing the conversation, I stated that per our scope, we have to go through a checklist of controls, verify their existence, test their validity and measure compliance. One of the first controls we had to deal with, I explained, is information security awareness.
The IT security director answered: "We are 100-percent covered. We make all new employees read a brochure and sign a statement acknowledging reading it and of the possible consequences of not complying with the rules." "Great," I said, "let's test this, OK?"
After a few seconds of hesitation, he agreed. We went into the next conference room, just the two of us and I asked to use the desk phone, which he graciously allowed.
I dialed the number for the IT help desk, which was found on a large label pasted on the phone.
The following is a transcript, from memory, of the conversation that followed (names have been changed to protect the "guilty").
Help desk: "Good morning, Large Bank Help Desk, how may I help you?"
undercover
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Digital ID World
-
September 14 - 16, 2009Rio Hotel and CasinoRegister Now »
Las Vegas, Nevada
(ISC)2 members can earn up to 24 CPE Credits!
Reference priority code ONLINE and attend the full conference for the reduced rate of $995!
