Welcome to this, the fifth edition of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to ISO 17799 and information security.
The information contained is free to our subscribers and provides guidance on a range of practical issues, plus commentary on recent Information Security incidents.
In this issue we focus specifically on the dangers of security complacency with everyday devices and technology. Included are the following topics:
IT COULDN'T HAPPEN HERE....COULD IT?
Every issue of the newsletter features at least one TRUE story of an information security breach and its consequences:
1) Confidential Litter?
When an explosion occurred at the head office of a major bank, the surrounding streets were littered with thousands of papers containing confidential customer information.
As well as recovery from the physical incident itself, which happened on a non-working day, the bank therefore had to contend with a serious issue of breach of confidentiality, and the resultant (significant) bad publicity which followed.
This was possibly the one area they had not covered properly in what was otherwise an exemplary disaster recovery plan!
2) The Old Duplication Trick
Two friends, one an employee of an international oil company, created a new company between them. The purpose of the company was entirely to receive payments fraudulently from the oil company.
Their first step in the saga was to gain access to the oil company's London offices out of hours. This was achieved by hiding an electronic micro-transmitter behind the wiring of the magnetic card junction box outside the office entrance. This was placed at a time when the employee had legitimate access to the building. A small room was hired near to the building to receive the actual transmissions.
The employee could now leave the company's employment. Before doing so, however, he had established that the account payment system was split into two discrete suites... one for services, the other for goods. There was no cross checking at all between them.
Over 18 months, the ex-employee entered the building at night, took advantage the feeble terminal access controls, and activated step two.
He essentially gained access to the above payment system and entered invoices and payment orders to his newly created company. All these invoices were duplicates of existing legitimate orders, but were made on the other suite. They were all of approximately 10,000 UKP in value.
Over 18 months the company lost 318,000 UKP. The incident only came to light during a manual audit when an auditor spotted that an invoice for a product had been placed in the service suite. When it was moved across, it was then spotted that two companies were seemingly supplying exactly the same product, which was highly suspicious and merited the full investigation which revealed the fraud.