If you tell enough stories, perhaps the moral will show up.


Naming More Risks

On the theory that risks need names, here's a couple more from the recent Sumitomo bank job.

  • O'Donoghue (Kevin) risk: Bent security guards.
  • Rodley ("Lord" Hugh) risk: Dealing with stereotypical peers who aren't in Debrett's. Check the photo in the BBC report....
There are some lessons there as well.
  • First reports are generally wrong. On the morning the arrests were made, I was told to drop everything and check out all machines with access to SWIFT for keyboard loggers. Which would have made sense -- probably does always make sense -- but wasn't relevant to the facts of this attack, which was based on software loggers.
  • Access control around documentation is not security by obscurity. Or if it is, then SbO works. Because what allowed Sumitomo to keep its funds was the mild complication of the fund transfer setup.
  • Business-hours limitations would have made sense, too.

No comments: