The Security Mentor

Someone nicknamed "The Mayor", on the geek forum Slashdot, wrote about working as an authorized user in a secure data center. I don't mean "secure" like a bank vault, I mean like something out of a James Bond movie. Passwords, palm readers, retina scanners, two separate smart cards required for entry, that kind of thing. He didn't mention any sharks with laser beams attached to their foreheads, but it was the kind of place that might have invested in them.

After all that expense and inconvenience, the guards started buzzing him through and letting him skip most of the security measures. Some others had stopped working and nobody had noticed. He was able to get all the way into the data center with no security check except for the guards recognizing him. Would the guards have known if he'd just gotten fired? Probably not. A vindictive fired employee in his position could have done literally millions of dollars of damage and quite possibly caused a major Internet outage.

It was also equally easy to work around the security checks on software changes. He said of one change:

So, basically, if I had wanted, I could have installed a bit of code that would have decrypted all of the credit cards of users of our software and emailed them to a third party. I could not believe it. It's a good thing I have what I consider to be high moral and ethical standards.

Shiny gadgets won't keep you safe. They need to be checked periodically. The guards need to be in the loop for HR events. When someone like me starts to bore you to tears talking about "audits" and "processes" and "periodic reviews", this kind of thing is what we're talking about. It's worth paying attention.