Today, =?Utf-8?B?cmFzZXJvbg==?= made these interesting comments
....
again, jerry, thanks for your thoughts.
it sounds to me like you've had a lot of experience. and i'll
agree with you about management - their focus usually lies
elsewhere and it can sometimes be difficult to convince them
that a threat is real.
i believe that our little scare will help in implementing
stronger security.
hope you're enjoying your retirement.
You're most welcom, Ross. And, thanks for the vote of confidence!
Trouble is, the world of IT security has turned inside out even
since I retired in January, 2002. Yes, that was after 9/11 but
before the major changes in our government to fight the War on
Terror. That said, the bad guys are quite different today.
Yes, I am most enjoying my retirement even though I found my work
experiences fascinating albeit frustrating.I once sent an E-mail
describing in some detail exactly how somebody could come in
either as an employee or through the visitor's lobby, steal
whatever they wanted, and escape undetected to every executive in
Engineering, some 600 men and women. I got exactly one reply,
from my own V.P. His laconis response was "scary, isn't it,
Jerry?". Yes. So, I called his office and tried to get an
appointment with him to lay out a plan to remedy the situation,
being I couldn't do it alone. You guessed it! He was too busy
with cars to worry about me.
Let me lay some more on you: when I was appointed to my job in
August, 1996, I was reasonably prepared technically having led a
committee investigating information security for a couple of
years prior, and having an IT background as a programmer and
later CAD and PC support manager. I also had the "privelige" of
writing the job description for the new Info Security Manager
little knowing I was writing my own! I did a deep dive to learn
as much as I could as quickly as I could to augment what I
already knew about CAD/CAE/CAM and PC security, began working
with our two IT groups at the time, and working with our
intellectual property attorneys to create legally enforceable
policies and procedures. Supplier security was also a big issue,
and much tougher to get my arms around.
Fairly early, I came across an interesting statistic or two. One
was that of ALL confidential information lost by American
companies, something like 80% were inside jobs! Then, I ran
across a story about a multi-year study the USAF did on attempted
compromises of their various IT systems. They concluded that they
were detecting some 250,000 hits per month! Worse - for them and
our country - was that they estimated this number to be only
about 10% of the real total, the rest going undetected. And,
since it is impossible to prove a null hypothesis by example, the
Air Force guys had no clue what was purloined or damaged. By the
time I left active employment, I was reading that the number of
inside jobs responsible for confidential information theft had
grown to more than 90% and today, it is reaching nearly 100%. How
can that possibly be? Large companies, especially those dealing
with financial customers, medical privacy issues, and the like
hardened their systems enough that they believed that little was
getting through from the dirty side. But, more insidious was that
those who study this phenomenon have anecdotal data to support a
theory that more and more people are getting themselves hired
specifically to steal information! It is a scary world out there.
One last thought wrt information security: there's a saying in
the biz that says that the only two people that've never been
compromized or lost data are the arrogant and the ignorant. I'm
sorry you had to learn the hard way, but at least you're on top
of it now. This is the source of management's reluctance to take
this seriously. They THINK they are well enough protected and
since they'd never lost anything (that they knew of!), they saw
little need to take decisive action. So, they were both arrogant
and ignorant, and I was frustrated.
I'll give you one more example that happened at my company
several years ago after I'd left: an E-mail came in with the
malware netsky, I think, that locks onto the address book of the
recipient and sends their malware to everyone in it, does the
same to those recipients, etc. This was a classic denial of
service attack, not one aimed at stealing anything. But, the
nature of mathematical progressions caused the number of E-mails
ringing their way across the entire company world-wide quickly
went into the millions and yes, the system fell over. It needed
to be completely taken down and restarted. Just the log files on
the network that were studied to find how the malware had gotten
past the proxy servers protecting the internal network was on the
order of 30 GB!
Good luck in the future and ask any clarifying questions you
need. I am woefully out-of-date but will try to help, and others
will certainly try as well.
