BOFH: We know where the bodies are buried
You're here to audit us? Hi! Fancy a coffee?
Episode 6 We're having a company-wide operational audit. The Boss, bless him, thinks it's a routine process aimed at solidifying the company's position in the marketplace (blah, blah, blah), however the PFY and I know better having accidentally been bcc-ed in on a private email exchange discussing a possible company merger with a rival firm.
A quick review of the company concerned indicates that they are large enough to consume our company whole whilst leaving room for dessert, a cheese board and several after-dinner cognacs.
"Obviously this will mean a change in the staffing levels for both companies," the Boss says, once we explain the true nature of the audit to him.
"Or just our company," I hint.
"There's bound to be a little duplication of tasks but we're sure to be integrated into the corporate body," he argues naively.
"I think our only interaction with the 'corporate body' will be when they wipe their corporate arse of us."
"You think so?" the Boss asks nervously.
"Definitely. They have an entire infrastructure that our company would be integrated into - making much of this company effectively redundant.
"So... that's it for us then?"
"For you, yes," the PFY says.
"Well what about you?" the Boss simpers.
"Oh, they'll probably keep us on. As they say in the corporate world, we know where the bodies are buried," the PFY smiles.
"Or more importantly," I add, "we know that there's room for some more bodies..."
"Can't you do something?" the Boss blurts, trying to get the words out before the auditors arrive at Mission Control.
"What's it worth?" the PFY asks.
One hour and a company whip-round later, the PFY and I have a lot more cash than we started the day with – which puts us in a good mood for our first meeting with the auditors. They're a bleak bunch of suits from the prospective takeover company and want to talk about our computing practices.
"So can you outline your password policies?" the first of the suits asks, starting at the top of his checklist.
"Oh, we don't have any of those," I say.
"None? No complexity, age, minimum and maximum change times, minimum and maximum lengths, reuse restrictions, etc?"
"No, none," I say. "It makes it too hard for people to remember each others' passwords if they're always changing."
"You don't enforce ANY password policies?!" he gasps, putting a cross through the first eight checkboxes on his page.
"What about file security?" he continues.
"Safe as houses!" I say. "We keep most of the business data on one of our servers."
"You say most?"
"Yeah, well, sometimes people work on stuff from home and don't get a chance to upload it to the website so they keep it on a USB key or their home machine or something."
"What about commercially sensitive documents, intellectual property and the like?"
"Yes, that's the stuff. We try to make it as simple as possible for people to be able to work on their files, without all that unnecessary complexity with access lists and VPNs and audit trails. And the system runs a lot faster without it."
"Backups?" the second bloke asks.
"Regular as clockwork!" the PFY says proudly. "We back everything up to a DAT drive once a month. EVERYTHING. EVERY month! AND we have three different tapes – not just one."
"No daily backups?"
"Not unless someone specifically asks. If that happens we check with all the users and do it when requested – but after we notify people we're doing it. We have a policy on notification prior to backups."
"Why?" auditor 2 asks.
"To make sure we don't back up stuff that people don't want backed up."
"So you don't take any backups apart from a monthly?"
"Not normally, no."
"Aren't you afraid of loss of data from viruses, encryption ransomware?"
"Please. We haven't had one of those for WEEKS!" I counter.
"And it serves as a good lesson to people to be vigilant when it DOES happen," the PFY adds sagely.
"So let me get this straight – you don't have a password policy, you don't have audit trails on file access and modification, and you don't take incremental backups on a regular basis."
"Mmmmmmm. No," the PFY says thoughtfully.
"Well, you realise that this would change under the merger?" the first auditor shoots back. "And frankly, I think there would be some questions asked about your professional competency."
"Fair enough," I reply. "Though we used to implement pretty much all of that at one point, but after that big asbestos thing we were instructed by Legal to ensure that nothing we did would affect the board's ability to the use of the plausible deniability defence."
"What asbestos thing?" auditor 2 asks nervously. "Was there asbestos in this building?"
"Ah... No?" I say, phrasing my response as a question.
"So you didn't discover asbestos in the ceiling or piping or building infrastructure."
"In the building?" I ask, faking relief. "No. I mean, not in the structure or fittings, no."
"But there was asbestos somewhere else?"
"No, no. Well, probably not. See, it all depends on whether the packages for our products were opened or not. Mostly I think they went out unopened and so everything was fine."
"Your company was MAKING things with asbestos?" he gasps.
"Look, it was a different time then," I say. "And it looked like asbestos would make great heatproof kitchen furniture."
"And there's a record of this?"
"I can ASSURE you there is NO record of this anywhere in the company," I say.
"We destroyed all the backup tapes at the time and we have a six-month maximum email retention policy," the PFY adds. "No loose ends."
"In fact," I add, "the factory was demolished and the land sold to the school next door so there's probably no record the company was even there."
Quicker than you can say "criminal liability" the deal is off and the company concerned has left the stadium. The PFY and I put in for all the extra overtime we'll need to do to reinstate the backup regimes that we never deleted in the first place.
Chicken dinner time at Mission Control.
Sponsored: Becoming a Pragmatic Security Leader