GRC can be a scary business. Year after year, around Halloween we share GRC horror stories from Anecdotes partners and employees. These brave souls have stared risk in the face and lived to tell the tale. Gather round for another trio of bone-chilling accounts of security risk—if you dare.
Horror Story #1 — Dr. Frankenstein’s Auditors
This story comes to us from Adam Arellano, Technology Advisor at Traceable.
"It was the tail end of December when I joined a big SaaS company as the lead of their FedRAMP program. Fresh out of the Marine Corps, I didn’t think SaaS, sounded that scary. Little did I know what horrors awaited me!
The office was eerily quiet that time of year. Besides the occasional ping from a phantom coworker, I was alone.
My first big task was a compliance audit for one of the biggest SaaS providers in the world. Easy, right? Not so fast. The person who had done it the year before had vanished—poof!—leaving me with nothing but a spooky old graveyard of spreadsheets. The file directories read like dusty tombstones, recording the faintest echoes of audits past.
I spent hours digging for materials I could use, piecing together a body of evidence like a mad scientist constructing a compliance Frankenstein’s monster. Bits and pieces from here and there slowly started coming together, but I couldn’t shake the feeling something was about to go terribly wrong.
Before long, I found myself running the entire audit from this behemoth of a spreadsheet. It was monstrous—tabs upon tabs, with pivot tables so complex they felt cursed, and I was terrified that one wrong move would cause the thing to collapse like a haunted house. The closer the deadlines crept, the more I felt like I was being stalked by an unseen force. I found myself uploading thousands upon thousands of screenshots as evidence. It felt like feeding an insatiable beast, and yet the auditors, like hungry ghouls, kept asking for more.
No matter how many requests we tackled, about 3% of them could not be satisfied. Whatever we brought the auditors, they howled for something else—either the dates were slightly off, or the lists weren’t quite complete. They were the compliance version of zombies, shambling back again and again, and I half-expected them to groan “moooore eviiidence” every time they reappeared.
There were a few close calls and a lot of scary moments, but in the end, we managed to pass the audit. Finally appeased, the auditors returned to the shadows from whence they came. It was like a curse had been lifted, and the office no longer felt haunted."
Lesson learned: Auditors are relentless. If your company’s GRC knowledge rests with one key employee, anyone else will struggle to keep risk at bay. Implement an intelligent automated evidence collection system that maintains documentation for you and makes it easy to satisfy auditor requests.
{{ banner-image }}
Horror Story #2 — Zombie Network Resources
It was a day like any other, and Chad Brustin, Senior Director of Information Security at Finfare, was in the process of sunsetting a product. As a final check, he asked his team to confirm that all resources had been decommissioned.
To his horror, his team’s review revealed that while the public-facing components, such as DNS, were turned off, the underlying network resources in lower-level environments were still on. A zombie networking bill jumped out at the InfoSec team, confirming Brustin’s fear: the system they’d killed wasn’t dead after all. It still lurked within their network.
Could undead assets be living in your network?
Lesson Learned: Plan ahead to avoid creating zombie software. Use continuous monitoring tools to check for shadow IT, generate a complete list of network assets and monitor changes in your company’s configuration settings. These methods will help you identify and decommission zombie resources lurking within your network and ensure that all assets are turned off in both production and lower level environments.
Horror Story #3 — The Haunted Cloud
This tale of terror comes from Jake Bernardes, Field CISO at Anecdotes.
“My story actually happened during Halloween week! In those days, I was heading security for a database company. One night, just days before Halloween and a week before our first SOC 2 and ISO 27001 audits, a 3 am phone call woke the household.
My infant son started wailing. My wife went to calm him as I picked up the phone. I knew a call at the witching hour could only be bad news, and I was right.
The caller notified me that a customer had contacted us to report a potential data breach. As evidence, they had attached a copy of another customer’s backup. My heart dropped into my stomach.
Our investigation soon found a skeleton in the closet of our cloud architecture: a shared S3 bucket storing all customer backups. The location of this data boneyard was hardcoded and exposed in the code. While far from best practice, this wouldn’t usually be catastrophic.
However, a customer was dabbling in the arcane, fuzzing the application for some unknown reason. Like a teen with a Ouija board, this customer got a message from beyond—actually, an error message stating their request could not be processed due to the backup process currently running. The error message then provided the data’s location.
In a horror movie, the main characters always go into forbidden places, touch the forbidden objects, and read the forbidden texts. For some incomprehensible reason, this customer did the same thing. First, they decided to access that bucket. When that worked, they decided to access another customer’s backup. When that worked, they decided to spin up and READ THE DATA!
Remember, our SOC 2 & ISO 27001 audits were due to happen the following week! It was several days before I properly slept again.
My days and nights were filled with countless email threads, incident analysis, calming down the executive leadership team, and arguing with Legal about not telling the world what had happened. It was truly the stuff of nightmares.
Remember, the real dangers aren’t supernatural—they’re the missed vulnerabilities hiding in plain sight.”
Lesson learned: GRC is not just about controls. It’s about product, process, and people. Do thorough due diligence prior to any audits. When threats emerge from the shadows, you need to know what to do to protect your company’s security posture. Having a technical understanding of the product will help you do it quickly so you can get your beauty sleep before trick-or-treaters (or auditors) arrive.
Learn From These Tales of Woe
It’s fun to share scary stories during the spooky season—a bit of fright can be exhilarating. But if your GRC nightmares aren’t limited to Halloween, feel free to reach out to Anecdotes 🙃
Key Takeaways
What you will learn
About the author
