My Psychologist friend jokingly suggested that auditors receive training  on how to interact with people suffering with  Attention Deficit Disorders, bipolar disorders and in group dynamics in the corporate environment.    A company’s culture is a very complex organism.   Even the smallest places have complicated political and social layers (silos) that have nothing to do with the official roles and functions performed by individuals and shown in organizational charts.    Decisions in organizations, anyone who is observant will confirm, are not always made based on logic, business reasoning, policies, controls, and/or the need to comply with external regulations.  They are often made based on fear, anger, sexual attraction, insecurity, jealousy, greed, hate, prejudices and confusion. Because of these things, it is easy for mentally unstable people to “hide” in the open.   In many organizations these behaviors are sheltered because those at the top benefit from that sort of culture.

I love this line that I have highlighted, because really, its the basis of 99% of the decisions made in corporations. Much of that decision making process on the lower levels (operations) are made for the more base desires founded within the daily sloth of individuals that comprise the management set.

Really.

The thrust of this article is predicated on the idea that many people in positions of management are in fact potentially mentally ill, or show signs of such behavior. I can see some of that, but that is not the case all of the time. This article does not take into account the sloth and greed factors as much as they should be I think on a gross product level within American corporations. Sure there is a lot of greed, but, the closer assessment I have made has been that no one wants to be responsible and would rather just have a “good day” and go home after a solid 7.5 hours of internet surfing.

Other areas of concern would be ineptitude, negligence, lack of capacity for comprehension, and general lacksadazical attitudes on the parts of many where these matters (security/audit) are concerned. These are also backed by the near absolute lack of real follow through by entities to fine and or censure companies that do not comply with regulations and really audit companies well to assure they are doing their part.

So, lacking any real negative re-enforcements, the masses fall into a complacency that allows for such behaviors and feelings of entitlement on the part of managers etc. Also, because of the varying morays of corporations, it is also possible to maximize the behavior because the “manager” is God in the org and can do nothing wrong. If they want that open pipe to the internet to surf YouTube and have a sub standard (and against written corporate policy) password as well as no hard drive encryption to boot, then BY GOD they should have it because they are “management”

In a word, I would say that much of corporate America is “dysfunctional” and needs a good spanking as well as be sent to bed without supper! Or maybe, just maybe some more and REAL oversight in how they do their business should be carried out. Much like we are now seeing with the whole issues with Goldman Sachs and their cavalier attitudes on selling “pure intellectual masturbation” to the masses, thus crashing the economy.

Meh….

On the other hand, were you to take these features into account when you are auditing a company (more to the point penetrating one) then you could use all of these features in your attack. So, remember, always look at not only the threatscape, but also the psy-scape for your openings. Open your ears and take mental notes, because that sub standard password and other breaking of the rules could get you in much further much faster than by having to gain a toehold elsewhere kids.

CoB