So, the other day while teaching my Online Course in Computer Security for the University of Advancing technologies I had a student ask me what they should do if their CFO asked to have an unexpiring password in a publicly traded fortune 500 company. I responded that in today’s age of heavy SEC and regulatory oversight I didn’t see that really being a problem. I jokingly said that maybe 10-15 years ago it wouldn’t have been a problem either because most of us weren’t expiring passwords regularly.
The student came back with “No, I am serious I was just asked to please set our CFO up with a non-expiring password and the request came from my CIO directly to me, which as low as I am on the totem pole that just about never happens” – my thoughts were all jumbled up for a minute as I thought we had surely gotten past this mind set with the news articles and all the coverage about regulatory compliance, internal controls, etc. C’mon I mean really? We are talking about the CFO – the Chief Financial Officer, the person with access to corporate funds, bank accounts, etc. and they really don’t want to change their password because it is too much of an inconvienience? When I asked more questions I wasn’t surprised to find out that the company does not have any sort of two factor authentication for their Executives as that is too cumbersome as well.
Why is it that Internal Audit, External Audit and others in that profession continue to miss items like that. Is it because they are so far down in the minutia of systems that they have forgotten that in Enron it wasn’t the little folks in the organization like me and other IT Operations folks that caused the issue it was the corporations senior executives. Things like Sarbane’s Oxley are supposed to manage and control the C level executives behaviors because no one that works for them is in a position to do so. So, my call out in today’s rant is for the internal controls folks to pay more attention to the Corporate executives and what they are or are not doing and a bit less attention to the folks down in the trenches.
Oh, wait a minute ….. whether it is an internal or external auditor their pay still comes from the same executives that no one else in the company can challenge without fear of not being paid…. hmmmm… guess we won’t be seeing that type of oversight anytime soon.
Oh, and since this is my first posting don’t think I am anti-auditor, I’m pro-auditor. I just think that this is an area that we currently lack an answer for.
One last item, please don’t comment on how lame you think passwords are and how they don’t do anything or provide any controls – please, if you are a security professional you should know they are simply one part of an effective defense-in-depth architecture. btw – If you don’t believe in defense-in-depth you probably are reading the wrong blost….
© Kevin L. McLaughlin, probably cited re-use is acceptable