Home page logo

basics logo Security Basics mailing list archives

Re: "It's ok we're behind a firewall"
From: Alessandro Bottonelli <a.bottonelli () axis-net it>
Date: Fri, 21 Feb 2003 16:10:37 +0100

On Wednesday 19 February 2003 11:58, John Brightwell wrote:
"It's ok we're behind a firewall"

I have been hearing this from customers or prospective customers since the 
press (many years ago) and Hollywood begun to address the "sexy" side of 
computer crime--the bunch of black hats out there.

According to a statistic (not a survey like the FBI one) by Ernst&Young 82% 
of incidents are internal and 55% of those internal accidents are due to 
human error (accidental deletion of files, spilling coffee into a server, 

In my experience, the issue is more profound than numbers. When I talk to SME 
entrepeneurs and I suggest that thay DO have an internal problem, when I am 
lucky they dismiss the issue as irrilevant, when I am not so lucky I piss 
them off because they argue something along the lines "I chose my people one 
by one, they have been working with me for years. When I decide I cannot 
trust them anymore, I fire them. I don't need a security system to handle 

When I talk to executives in large corporations I learned to bite my tongue. 
I always piss them off with such issue. Since it is something they feel is 
almost impossible (or just impossble) to address, they don't want to hear it.

There are three case studies (public--they were in the press) I'd like to 
share with the list. 

Case (1): the SQL Worm. It stuck 14.000 post offices in Italy for half a day 
and only for some functions, namely the POS System. Assuming they spent one 
man-hour per post office to fix it, at $10 / hour, this is a $140,000 damage 
made by AN ARMY of "outsiders".

Case (2): Credit Card Cloning. The Italian Police recently arrested 6 people 
with the charge of cloning credit cards with the help of ONE insider in the 
Data Center of an Italian Bank (unamed, since the italian press is usually 
"kind" with banks). The police stated these people spent something in the 
neighborhood of  $1 Million before getting cought. So this is a $ 1,000,000 
dollar damage made mainly by ONE "insider".

Case (3): Document Shredding at the INS (US). Two managers have been recently 
charged with destroying documents to be processed at the INS. Tens of 
thousands of documents are gone forever and there is no way to know what was 
lost (the processing is outsourced and no pre-registration of such documents 
is done before they are processed). JHM Research & Development is the 
outsourcer. They will very likely loose a $325 Million contract for this. So 
this is a $325 Million damage made by TWO "insiders".

Whan it comes to damages (not just numbering incidents), "insiders" have the 
motive, the opportunity, and the capacity to do much more damage (one, two, 
or three orders of magnitude larger) than an army of hackers out there. 

But entrepreneurs and executives won't listen. If someone in the list has 
found a way to present such cases without pissing off a prospective customer, 

Alessandro Bottonelli
A.Bottonelli () axis-net it

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]