

After JPMorgan Breach, a Greater Push to Fortify Wall Street Banks - dnetesn
http://dealbook.nytimes.com/2014/10/21/after-jpmorgan-cyberattack-a-push-to-fortify-wall-street-banks/?ref=technology

======
waps
> Top officials at the Treasury Department are discussing the need to bolster
> fortifications around a critical area of cybersecurity: outside vendors,
> which include law firms, accounting and marketing firms and even janitorial
> companies, according to several people briefed on the matter.

> The push by government officials is a stark acknowledgment of the
> vulnerability of financial institutions to an attack — even after they have
> spent hundreds of millions of dollars to protect themselves — if one of
> their vendors is not fully prepared.

This makes you seriously wonder. Apparently, janitorial companies get
sufficient network access at JP Morgan to download client lists. Apparently
that is quite common at wall street banks.

Then again, having worked at one, this doesn't really surprise me. The only
thing that has a decent security architecture is the transaction processing
systems (and they're not isolated from each other either).

And at one of those banks the reason that janitorial company managers have
access to client lists is that copies are stored as excel spreadsheets on smb
shares and management can't be bothered with access lists, so all is set to
public access.

~~~
superuser2
I'm guessing that this is being talked about by people with very primitive/old
conceptions of "the network." Janitorial companies can plug laptops into
ethernet jacks, therefore they "have access to the network."

Of course, that doesn't mean that they have credentials business applications
or databases with interesting data, but that could easily get lost as it
percolates up the chain from actual sysadmins to policy people.

~~~
waps
I think the bigger problem is that business people and managers expect
security to just work the way they intend without them having to even think
about what the correct security policy for X is. When you don't want to think
about it and do want to share stuff the only tolerable security policy is
public access, at least within the organisation.

Then they proceed to give a domain account to the janitor ... and then the
customer list leaks.

Like most other problems at banks, the issue here is large amounts of stupid
people, especially at the top.

~~~
dragonwriter
> I think the bigger problem is that business people and managers expect
> security to just work the way they intend without them having to even think
> about what the correct security policy for X is. When you don't want to
> think about it and do want to share stuff the only tolerable security policy
> is public access, at least within the organisation.

I think the bigger problem in enterprises is UX failure -- not necessarily of
_computer_ systems, but of the _human_ systems by which access is managed. Its
not that managers don't want to think about security, its just that IT
security organizations often don't present a clear, consistent, _efficient_
(in time and effort) interface to their customers to implement security
policy, and management works around that by demanding broader access (in the
limit case, public access) than is necessary, because otherwise the basic work
can't get done.

Security organizations very often forget that usability -- both of the secured
systems and of the process by which the business owners of systems manage
access -- is as important to effective security as technical safeguards.

