Welcome to this, the sixth edition of The ISO27000 Newsletter, designed to keep you abreast of news and developments with respect to the ISO 17799 information security standard.
The information contained is free to our subscribers and provides guidance on a range of practical issues, plus commentary on recent Information Security incidents.
IT COULDN'T HAPPEN HERE....COULD IT?
Every issue of The ISO27000 Newsletter features at least one TRUE story of an information security breach and its consequences:
1) Don't Forget The Obvious
Dial-in or remote access can be a real Achilles heel if not properly controlled.
In a recent case, a young hacker gained access to a major corporation's computer system by using the default password of a system engineer. It had never been changed from installation. This actually gave him considerable scope and powers of access.
To cover for himself, he changed a number of user passwords, semi-disabled the machine log, created several fictitious privileged users and tampered with the dial back system code. Getting more ambitious he established a communication link with another computer and ended up making it crash. All this took place over just two evenings.
Despite the fact that the hacker was not maliciously causing damage or attempting to make financial gain, his actions caused havoc. The installation ultimately had to closedown its prime computer and restore from the previous weeks back-up, at considerable cost.
2) The Long Goodbye
After a series of serious disagreements with his fellow directors, a director left the UK branch of an international network services company. As the service was used by a number of international banking groups, he decided to extract revenge.
Some time after his departure, he was still able to access the system... because the company's termination/departure procedures did not immediately revoke access rights.
The banking groups found to their horror that extremely rude messages began to appear on their terminal links with other banks for no apparent reason. Transfers were delayed and some messages had parts missing.
It took some time to identify the cause. Although the cost was impossible to quantify, there was certainly serious damage in terms of the company's goodwill and reputation.