Welcome to the fourth edition of The ISO27000 Newsletter, designed to keep you abreast of news and developments with respect to ISO 17799 and information security.
The information contained in this newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents.
Guidance and information included in this issue:
IT COULDN'T HAPPEN HERE....COULD IT?
Every issue of The ISO27000 Newsletter features at least one TRUE story of an information security breach and its consequences. Again, in this issue, we focus upon 'low tech' but high impact incidents:
1) Remote, or dial-in access can be a real Achilles heel if not properly controlled. In a recent case a young hacker gained access to a major company's system by using the default password of a system engineer (which had never been changed!).
This gave him considerable scope and powers of access. To cover for himself, however, he semi-disabled the machine log, changed a number of user passwords, created several fictitious privileged users and tampered with the dial back system.
Getting more ambitious he established a communication link with another computer and ended up making it crash. All this took place over a couple of evenings.
To recover from the havoc the installation had to close down its prime computer and restore from the previous weeks back-up, at considerable cost.
2) On 25th October a contract programmer who had once worked for a large US based bank walked into the 'inner sanctum' of the main building (the security guards vaguely remembered him as someone permitted to do so). In the dealing room he claimed to be conducting a quality audit and interrogated a junior employee and watched a program run - noting down security codes as they were entered. He then left and hung around outside until just after normal trading time.
He then rang the Bank from a public phone box and initiated an electronic funds transfer using the codes... $10.2m to a Swiss account.
The plan nearly failed when he found that he had noted one of the codes incorrectly, but he rang the Bank department back and incredibly managed to trick a different employee into revealing the correct digit.
He flew to Switzerland and later returned with the money. He was caught simply because he couldn't resist boasting about his great feat. When the police contacted the bank they were still totally unaware of their loss!
3) Over a period of nine months, the number of computer malfunctions within a large company had risen from an average of two per year to critical levels. The impact was such that the business fell behind with its invoicing systems and had to buy processing and backup from third parties. As it could not deliver some of its services reliably, it started to lose the confidence of its customers. The situation began to spiral.
Eventually, the company suspected foul play may be involved and called the police. Secret surveillance equipment was installed to monitor staff. One was filmed lightly scratching circuit boards in disk units and also attaching paper clips to them. Both these actions led to a short circuit.
When confronted, he confessed everything. His motive was to earn overtime, which was required to process the overlap work which was delayed by the malfunction. He netted 689 UKP over the 9 months. The company lost at least 500,000 UKP.