Wednesday, October 2, 2019

Why I Don't Respect Our Corporate Security or Training Teams

So, I get to work today, and find an email from the computer-based training system saying that I'm nearly a month past due on some of my annual training-requirements. This struck me odd, because I generally make sure to knock out training either the day it's due or the last day I know I'll be in the office immediately before it's due.

I login to the portal to look at the training schedule. I find the "overdue" training. I look in my home directory's training certificates folder and notice that there's a matching ID in there from the second half of January of this year ...meaning that its renewal _should_ have been due in the second half of this coming January.

Go back to the training portal and see, "oh: this is a new revision of the training ...released a few days ago, but with an author-date of a few weeks ago. I guess this update obsoleted my existing training. And it looks like the 'overdue' notice was sent out on the day that the training was mad available on the training-portal but back-dated to the day it was authored." All of which is great because our managers get "overdue reports" about each of our training and anything beyond one week overdue is considered unacceptable and might result in our accesses being revoked. So, uh, yeah.
At any rate, I open the new training in my browser ...and quickly discover I have to use a different browser because the _brand new training_ is delivered via Flash and my day-to-day browser disables flash for security reasons. Irony: the training is security training.

As usual, at the end of the training is a "knowledge check" quiz. As I go through the quiz, there's a few questions whose multiple-choice answers are either "not quite right", have answers whose correctness varies on how you read the question (and the question's wording is awkward/muddy/etc.) ...or straight up wrong.

I answer the questions – including choosing "next best" answer on one where the one that turned out to be the "correct" answer _rhymed_ with what's correct but was, itself, _not_ correct (unless my ability to rent a car is an example of a best practice around providing minimized privilege set: apparently, whoever wrote the quiz and whoever did an editorial reading of the test thought "lease privilege" is a real thing in the context of IT security best practices). I hit the done/score button and fail the quiz ...by exactly the number of poorly-written/incorrect questions/answers.
Fortunately, there's a re-try button. So, I go back and provide the right incorrect answers and get a passing grade.

After printing out and saving the certificate of completion, I'm presented with a survey link. "Great," I think to myself, "I'm going to fucking roast them." I was, at minimum, planning to leave a one-word comment, "theiy're," in any available free-form response section. Naturally, the link to the survey doesn't actually work.

WTF.







No comments:

Post a Comment