Worst part is the auditors make pretty cool money Back in my DBA Days, we had an auditor who decided that the whole dba team should only have read access to some dbs In their plan, even backup rights were too much The CIO was the only one to have Admin rights :) On 8/13/11, Laban Mwangi <lmwangi@gmail.com> wrote:
Hi,
On Mon, Aug 1, 2011 at 9:59 AM, ty <tyruskam@gmail.com> wrote:
Am not surprised. Information Audit is treated like Financial audit and locally, there is a dearth of pseudo-auditors ripping off corporates. I know of one auditor from one of these localized audit firms who spent a whole day trying to run a korn script on bash.
Oh yeah, I had the same experience ~4 years ago. * A guy having a ksh shell trying to execute it on bash * Script was investigating /opt or something like that. Might have been for SCO Unix. * He asked me what firewall we were using, I replied IPFILTERS, Bugger gives me a CISCO PIX questionnaire to fill. * To improve security, I was asked to change the root username of mysql to something else.... Like admin. On top of that, they didn't care about mysql version running, other users in the system etc... * Windows admin users were duly changed and their passwords. * Rsync wasn't a good backup solution. We had to get a tape drive and use the built in windows backup program
Observations: * Auditors are typically first class honours students, picked by the system, mangled, zombified and sent to haunt us. * Unfortunately, they are not given a basic intro/course into OS concepts, FW concepts.. Just a form to fill and billable hours to bill * Big name companies won't touch your code/product if a big name auditor has not passed it through his 'billable hours' service * It's mostly a scam (well in reference to the few Unix audits I have been in) and I shudder to think of all the 'all green across the board' deployments out there. * I wasted a week of my life. I wish I could bill for it
A year ago, another local audit firm ripped a govt parastatal close to Ksh 50m on an audit and the same month, the system got compromised. -tyrus. On Mon, Aug 1, 2011 at 9:51 AM, Allan M <mbiyua@gmail.com> wrote:
this is incredibly ridiculous!!. Working with such a company is a sure setup for ripoff . Thanks for the info .its very valuable to all.
On Fri, Jul 29, 2011 at 11:00 PM, Brian Ngure <brian@pixie.co.ke> wrote:
I am still reeling in shock from the sheer stupidity shown in this link.
http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how... Anyone got a local horror story to share?
-- Regards
Brian Ngure
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Regards,
Allan M 0722-266-146
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Sent from my mobile device