IT�SECURITY�IT�SECURITY�

HORROR STORIES WHERE�FOUNDATIONAL�

CONTROLS�WENT�OVERLOOKED

WHERE�FOUNDATIONAL�CONTROLS�WENT�OVERLOOKED

or��

We�asked�industry�professionals�about�the�moments�in�their�security�careers�that�horrified�or�shocked�them�so

much,�they�didn't�know�whether�to...���

horrified shocked

"This�particular�organization�paid�their�employees�bonuses�based�on�the�amount�of�money�they�saved�from�their�budgets!�

Therefore,�instead�of�trying�to�pick�security�solutions�that�helped�better�their�security�posture,�they�chose�to�do�the�

minimum�required�to�be�compliant�.�.�."

-IRFAHN KHIMJI @THEREALKHIMJI

".�.�.�They�pitched�a�great

�

story�to�the�executives�

to�say�that�being�

compliant�with�the�PCI�

standard�made�them�

secure,�but�they�were�

horribly�mistaken."

-IRFAHN KHIMJI

@THEREALKHIMJI

"We�were�in�a�staff�meeting�when�one�of�the�engineers�received�a�call�from�our�ISP�to�notify�about�suspicious�traffic.�

Their�monitoring�team�observed�that�a�server�on�our�environment�was�communicating�with�a�known�malicious�

command-and-control�server�in�another�country�.�.�."

-KEIRSTEN BRAGER @HIDDENCYBFIGURE

".�.�.�The�incident�response�plan:�pull�

the�server�off�the�network.�Makes�

sense,�right?�There�was�one�small�

problem:�no�one�could�find�the�server."

-KEIRSTEN BRAGER @HIDDENCYBFIGURE

"I�was�doing�a�physical�security�assessment�for�this�company,�

and�one�of�the�tasks�was�reviewing�the�server�room.�The�'server�room'�was�just�another�

office�that�happened�to�contain�a�server�rack�in�a�repurposed�closet�with�doors�removed,�which�was�

open�to�all�employees�‒�unfortunately,�this�is�typical�and�not�what�stood�out�to�me�.�.�."

-Zoë Rose @5683MONKEY

Come in, WE’RE

OPEN

".�.�.�The�real�disheartening�part�was�there�was�a�window�

directly�beside�the�server�rack�‒�no�screen�or�bars�‒�on�the�

ground�level�...�If�you�wanted,�you�could�do�all�your�sysadmin�tasks�while�sitting�outside�for�a�picnic.�Or,�if�you�wanted,�you�could�walk�by�the�building,�

plug�in�a�random�USB,�and�no�one�would�be�the�wiser."-Zoë Rose

@5683MONKEY

"I�am�reminded�of�the�time�I�gained�access�

to�a�building,�connected�onto�their�

network,�and�found�'Credit�Cards�Front�

and�Back.pdf.'�This�was,�of�course,�a�copy�

of�their�staff�credit�cards."

-RICHARD DE VERE @RFDEVERE

"An�'IT'�staff�member�came�to�an�office�wearing�a�jacket�that�said�IT�on�the�back�and�requested�access�to�the�server�closet.�The�front�desk�personnel�asked�them�to�sign�in�but�allowed�them�to�enter�without�an�ID�check.�Roughly�an�hour�later,�the�'IT'�person�departed�the�

office�and�things�started�to�go�very�badly�.�.�."

-HUDSON HARRIS @LEGALLEVITY

".�.�.�In�short,�the�office�se

rvers�

got�hit�with�ransomware�and�all�

operations�ceased.�In�the

�post-�

mortem,�the�individual�claiming�

to�be�part�of�the�IT�staff�w

rote�

'hacker'�on�the�sign-in�sh

eet�and�

was�actually�wearing�a�shir

t�that�

said�hacker�‒�all�very�obv

ious�

and�plain."�

-HUDSON HARRIS

@LEGALLEVITY

"I�was�tasked�by�a�client�to�pentest�a�web�app,�which�was�presented�to�me�as�a�simple�login�form.�The�client�did�not�provide�any�login�credentials.�So,�the�main�

goal�was�to�try�and�gain�access�to�the�system.��On�the�login�page,�there�was�an�email�address.�It�read�

something�like,�'If�you�have�any�issues�logging�in,�email�the�site�administrator�john@example.com'�.�.�."

-RYAN DEWHURST @ethicalhack3r

"�.�.�.�My�first�thought�was,�'Does�

this�John�fellow�have�an�account�

on�this�application?'�So,�I�tried�

username�=�john@example.com,�

password�=�password.�And�lo�and�

behold,�it�worked!�The�client�had�

paid�for�several�days�and�was�

quite�embarrassed�that�it�only�

took�me�about�5�minutes�to�gain�

access�to�their�system."

-RYAN DEWHURST

@ethicalhack3r

"I�had�the�unsavory�task�of�letting�an�employee�go.�Unfortunately,�this�

person�was�one�of�our�sys�admins,�so�it�was�a�bit�of�a�process�getting�

credentials�changed,�etc.�After�all�the�appropriate�changes�were�made,�I�sat�this�person�down�and�broke�the�news.�I�asked�them�to�pack�their�things,�turn�

in�their�keys�and�leave�.�.�."

-JIM NITTERUER @JNITTERUER

".�.�.�While�the�individual�was�packing,�I�stepped�out�

momentarily�to�use�the�bathroom.�I�got�cornered�

talking�to�someone�in�the�hall�and�returned�15�minutes�

later�expecting�the�former�employee�to�be�packed�and�

ready�to�go.�Instead,�I�found�him�connecting�his�

personal�laptop�to�the�network�and�attempting�to�

download�his�archived�work�files!"

-JIM NITTERUER @JNITTERUER

"That�moment�when�you�are�working�for�a�massive�managed�services�company�and�you�are�about�to�upload�a�debug�file�to�the�vendor�of�your�ticketing�system�and�find�out�you�can�see�all�their�clients'�SFTP�folders�on�their�drop�site.�Global�banks,�pharmaceutical�companies�and�defense�contractors�all�have�folders�you�can�access.�You�quickly�look�in�your�own�folder�to�

see�what�these�other�companies�can�see�about�your�organization�.�.�."

-EAN MEYER @EANMEYER

".�.�.�Not�only�have�professional�services�dropped�all�your�architectural�designs,�passwords�and�CMDB�data�there�but�also�left�the�last�onsite�professional�services�representative's�unlocked�PST�file�there�‒�it�contains�a�treasure�trove�of�passwords,�usernames,�business�communications�and�enough�company�culture�information�to�make�a�social�engineer�faint."

-EAN MEYER @EANMEYER

"Whilst�working�for�a�large�energy�company�in�the�UK,�one�of�my�roles�in�Information�Security�was�to�visit�offshore�sites�and�conduct�technical�security�audits�based�on�ISO27001.�

In�one�of�my�visits,�I�went�to�a�brand-new�facility�of�one�of�our�

suppliers�[to�conduct�a�review].�As�part�of�the�audit,�I�reviewed�six�

backup�generators�and�how�often�they�were�tested,�etc�.�.�."

-PAUL "PJ" NORRIS @PJNORRIS

".�.�.�I�was�shocked�to�see�that�two�

of�the�six�generators�were�running�

at�the�time�of�my�visit.�Initially,�I�

was�informed�they�were�being�

tested�at�that�moment�in�time,�but�

subsequently,�I�learnt�that�the�

entire�site�had�not�been�supplied�

commercial�power�from�the�local�

grid,�so�it�had�been�running�on�

generator�power�for�the�past�nine�

months!"

-PAUL "PJ" NORRIS

@PJNORRIS

"One�of�my�first�tasks�at�this�company�was�to�set�up�a�ESXi�server.�I�deployed�the�server�and�had�no�issues�for�months.�Then,�one�day�I�ran�a�port�scan�against�our�public�IP�address�

space�and�noticed�something�a�bit�odd:�a�website�being�hosted�

on�a�public�IP�that�wasn't�supposed�to�be�used�.�.�."

-TRAVIS SMITH @MRTRAV

".�.�.�It�turns�out�that�before�my�tenure,�a�staging�web�server�had�been�setup�that�had�a�NAT�between�a�public�IP�and�the�internal�IP�I�was�now�using�for�my�ESXi�server.�When�the�original�staging�server�was�decommissioned,�the�NAT�rule�in�the�firewall�was�never�removed.�I�had�an�ESXi�server�publicly�available�from�the�Internet.�At�first�I�cried,�but�after�fixing�the�issue�and�sifting�through�logs�for�days,�I�laughed�at�how�bad�that�was."

-TRAVIS SMITH @MRTRAV

MORAL�OF�THE�STORIES?"Much�of�protecting�any�

organization�isn't�about�more�advanced�detection�or�new�tools,�

but�about�consistently�applying�the�tools�we�already�know�work.�Doing�the�basics�right�is�the�foundation�of�

information�security."

MORAL�OF�THE�STORIES?

-TIM ERLIN @TERLIN

FOR�THE�LATEST�SECURITY�NEWS,�TRENDS�&�INSIGHTS,�VISIT:

TRIPWIRE.COM/BLOG

FOR�THE�LATEST�SECURITY�NEWS,�TRENDS�&�INSIGHTS,�VISIT: