Configurations: Trust but Verify

You need to be able to trust your technology and risk reduction controls, but you also need to verify them annually!

This morning the time changed with “fall back” (Daylight Savings Time adjustment) and my wife’s phone went off a 6 AM.  She got up and ready for her day, immediately, because she had early work to perform by a certain time of day.  I then commented to her that her phone may not have the correct time due to fall back.  We looked at my analog watch and, indeed, her phone had not updated properly and she was up an hour early.  I checked the settings on her phone and it was set up to the correct time zone and settings to automatically adjust for daylight savings time.  I then disabled the automatic update, reset the time zone, turned the auto-update back on and checked the time and it had adjusted correct once I had reconfigured the phone.  It was set up properly in the first place but an apparent bug caused it to fail.  Whenever a time zone changes for me, albeit traveling or Daylight Savings Time, I always use my watch to verify that the change took place as it should.  I try to “trust” my computer world but I also “verify”.

4D5A Security performs assessments for organizations, recommended on an annual basis.  Patch levels, exploits, threat actor tools and tactics, and applications all change all the time.  An annual assessment of external and internal resources helps to identify areas where risk may exist without your knowing it.  Perhaps IT opened up a high level port for a guy in sales to share data, but the Security team doesn’t know about it and it’s accepted risk that the company does not want?  Maybe you’re a smaller shop and it works well but you haven’t implemented encryption or didn’t know about certain configurations to harden your server(s) against attack?  No matter what your need, big or small, an annual assessment increases assurance as you “trust but verify” your security posture.

Leave a comment