Welcome to the ninth issue of ISO 17799 News, designed to keep you abreast of developments and news with respect to ISO17799 and information security.
The newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents.
Included in this edition are the following topics:
IT COULDN'T HAPPEN HERE....COULD IT?
Every issue of The ISO27000 Newsletter features at least one TRUE story of an information security breach and its consequences:
1) A Simple One - But A common One
This one worked for years. The problem is that it still does!
A mainframe programmer in a large organixation thought it would be a hoot to collect the passwords of his colleagues and explore what they actually had filed under their own userids.
To achieve this, he wrote a very simple script to emulate the exact look of thestandard welcome screen for logon. The script didn't logon of course, instead it provided a duplicate of the user-id/password screen, and then filed the input provided by the user to a common area. Instead of then logging the user onto the system, it presented the 'System is not available' message. The user invariably got up and walked away at this point, enabling him to quickly retrieve the gathered authentication details.
Unfortunately, armed with a growing number of access details, he just could resist going further than just being nosey. He began to actively seek more information, first on himself, then on others. Realizing that he could do so apparantly anonymously, he was soon changing information. Quickly, he was out of control and was accessing and changing files almost every day.
He was only caught when someone spotted that the 'last logon' date for their account was clearly incorrect (they had only just returned holiday). Their report was taken seriously, and observation and investigation initiated.
Hardly surprisingly, his excuse that he was "only having fun" was not enough to save him.
2) The 'Perfect' Business Continuity Plan
Yes, we have published this one previously - but it is our favorite true story!
A major financial institution took pride in its business continuity planning, and had in place what it considered to be a comprehensive plan of the highest quality. Indeed, the plan itself had been fully tested only days prior to the fateful incident.
On a quiet Sunday afternoon, the tranquility was disturbed by a large explosion in their main office block in the center of a large city. It was not a bomb or terrorist incident, but a serious gas explosion.
The company confidently swung the BSP into full effect, almost as quickly as the media hit town, to immediately discover something that the plan, as good as it was, had overlooked! The streets were full of paper from the office containing a wide variety of confidential customer information. Sensitive data was lying around for any passer by or observer to simply pick up and read.
For all the planning and testing, a single security lapse had cost them dear, as this aspect of the incident was reported again and again.
The moral of the story is of course that the office clean desk policy, and secure filing of confidential data policy, can actually prove to be extremely important!