Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Jul 5, 2010

Disastrous lack of policy?

A DarkReading article caught my attention today:
Demolition firm Ferma nearly failed because its employees lacked a proper security policy.

In mid-2009, an employee at the California firm clicked on a link in an e-mail message and ended up at a malicious website. The site, run by online thieves, used a vulnerability in Internet Explorer to load a Trojan horse on the employee's system. With control of the machine, which was used for much of the firm's accounting, the thieves gathered data on the firm and its finances. A few days later, the thieves used 27transactions to transfer $447,000 from Ferma's accounts, distributing the money to accounts worldwide.

"They were able to ascertain how much they could draw, so they drew the limit," said Ferma president Roy Ferrari in an interview at the time.
It was that opening line that stood out for me.  Was this incident truly due to the lack of a "proper security policy", in fact?  If so, what would that "proper security policy" have said?

I would dispute the article's claim that:
For Ferma, a security policy that forbid surfing on computers used for accounting or resulted in stronger security for such computers would likely have stopped the attack cold.
No policy would have stopped the attack unless (a) employees fully complied with it, and (b) the controls it mandated were sufficiently strong to eliminate all the risks.  'Not surfing on computers used for accounting' would reduce but not eliminate the risk, and it would only provide that limited protection if in fact accounting users never surfed the Interweb on their normal PCs.  It would not have prevented incidents that involved other modes of attack, such as social engineering, network worms or Trojan-infected USB sticks. The incident might have been identified if not blocked by antivirus software, firewalls and network monitoring, and additional business controls over the authorization and release of large value transfers.  Anti-fraud and money laundering controls at the bank/s could have made the criminals' job harder too.

The truth is that information security almost invariably requires multiple overlapping or complementary controls.  To say that this incident was the result of a lack of policy is distinctly misleading.

Comments welcome.  Gary.