Security Basics mailing list archives
Re: "It's ok we're behind a firewall"
From: "David Vertie" <verticalrave () hotmail com>
Date: Mon, 24 Feb 2003 08:10:38 +0000
Its seems that the reason that so many people don't care is mostly because they don't know what has happened to so many other companies in the past.
Many people fall into a false sense of security when it comes to protecting themselves. They either believe that they will not be attacked, or that their current security measures are sufficient.
I have met more than my share of people who say that their firewall/people/resources is/are sufficient and that nobody would ever want to possibly attack/maliciously use their resources for any means whatsoever.
You can only guess what happened to those companies when the big worms struck, i.e. code red. I saw many a people complaining afterwards about the lack of security that they had.
People ironically learn from experience first as a highlight however.As for techniques, I suggest a history lesson. People will get mad of course; mostly because they don't think they need a re-education I guess.
My two cents.
From: Alessandro Bottonelli <a.bottonelli () axis-net it> To: security-basics () securityfocus com Subject: Re: "It's ok we're behind a firewall" Date: Fri, 21 Feb 2003 16:10:37 +0100 On Wednesday 19 February 2003 11:58, John Brightwell wrote: > "It's ok we're behind a firewall" > I have been hearing this from customers or prospective customers since the press (many years ago) and Hollywood begun to address the "sexy" side of computer crime--the bunch of black hats out there. According to a statistic (not a survey like the FBI one) by Ernst&Young 82% of incidents are internal and 55% of those internal accidents are due to human error (accidental deletion of files, spilling coffee into a server, whatever...).In my experience, the issue is more profound than numbers. When I talk to SMEentrepeneurs and I suggest that thay DO have an internal problem, when I am lucky they dismiss the issue as irrilevant, when I am not so lucky I pissthem off because they argue something along the lines "I chose my people oneby one, they have been working with me for years. When I decide I cannot trust them anymore, I fire them. I don't need a security system to handle that".When I talk to executives in large corporations I learned to bite my tongue.I always piss them off with such issue. Since it is something they feel isalmost impossible (or just impossble) to address, they don't want to hear it.There are three case studies (public--they were in the press) I'd like to share with the list.Case (1): the SQL Worm. It stuck 14.000 post offices in Italy for half a dayand only for some functions, namely the POS System. Assuming they spent oneman-hour per post office to fix it, at $10 / hour, this is a $140,000 damagemade by AN ARMY of "outsiders".Case (2): Credit Card Cloning. The Italian Police recently arrested 6 peoplewith the charge of cloning credit cards with the help of ONE insider in the Data Center of an Italian Bank (unamed, since the italian press is usually "kind" with banks). The police stated these people spent something in the neighborhood of $1 Million before getting cought. So this is a $ 1,000,000 dollar damage made mainly by ONE "insider".Case (3): Document Shredding at the INS (US). Two managers have been recentlycharged with destroying documents to be processed at the INS. Tens ofthousands of documents are gone forever and there is no way to know what was lost (the processing is outsourced and no pre-registration of such documentsis done before they are processed). JHM Research & Development is theoutsourcer. They will very likely loose a $325 Million contract for this. Sothis is a $325 Million damage made by TWO "insiders".Whan it comes to damages (not just numbering incidents), "insiders" have themotive, the opportunity, and the capacity to do much more damage (one, two, or three orders of magnitude larger) than an army of hackers out there. But entrepreneurs and executives won't listen. If someone in the list hasfound a way to present such cases without pissing off a prospective customer,PLEASE SHARE WITH US. -- Alessandro Bottonelli A.Bottonelli () axis-net it www.axis-net.it
_________________________________________________________________The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
Current thread:
- "It's ok we're behind a firewall" John Brightwell (Feb 20)
- RE: "It's ok we're behind a firewall" Duane H. Hesser (Feb 22)
- Re: "It's ok we're behind a firewall" Gene Yoo (Feb 24)
- Re: "It's ok we're behind a firewall" Alessandro Bottonelli (Feb 22)
- Re: "It's ok we're behind a firewall" Chris Travers (Feb 24)
- <Possible follow-ups>
- re: "It's ok we're behind a firewall" H C (Feb 20)
- RE: "It's ok we're behind a firewall" Ben Schorr (Feb 22)
- Re: "It's ok we're behind a firewall" David Vertie (Feb 24)
- RE: "It's ok we're behind a firewall" James Liddil (Feb 24)
- RE: "It's ok we're behind a firewall" Chris Santerre (Feb 24)
- RE: "It's ok we're behind a firewall" Duane H. Hesser (Feb 22)