Fun at IT audits, part 4 or "I am not the threat you're trying to protect against" | Reddit

This post at Reddit was bringing a lot of traffic to the blog, so I went to check it out - it turned out that they posted a link to one of the posts in the blog: Always search for the next thing.

The Reddit post provides a good example of the Red Team Mindset.

Next, I want to see their print shop. They run on what essentially are truck sized inkjets. Once the statements are printed, they're put into lockable, wheeled cabinets until they're assembled and mailed. I reach over and touch the padlock- a nice, reliable Master #4. The Director of Compliance snaps at me:

DoC:"What, do you think you could pick that?"

me:"Well, yes. Masters are hard to break but not too difficult to pick. My local lockpicking group uses them to teach people to pick locks"

At this point, everybody's staring at me. The Director of Compliance is not happy.

DoC:"So, you're saying you could waltz in here and steal anything you wanted?"

me:"Well, my job requires me to think like a bad guy. If I were so inclined, I'd make a pretty good thief"

Bank Compliance person:"So do you think they're insecure?"

me:"Listen, listen. They've got multiple controls in place. They've got cameras. They've got key cards. I've been stopped on the way to the bathroom. If I were going to steal data, I'd try to get the feed into the printers- get tens of thousands of records rather than a few hundred"

Director of Compliance:"Where did you learn to think this way?"

me:"Law school"