Friday, December 12, 2008

Guardians? What Guardians?

Yesterday, the New York Times covered the recent arrest of Bernard L. Madoff.

Madoff, a prominent Wall Street Hedge fund manager, has admitted to running a $50 Billion Ponzi scheme.

While law enforcement has been quick to react, the revelation came when Mr. Madoff confessed to an associate. While rival Hedge fund managers had been suspicious that Madoff's results were too good to be true, THE REGULATORS HAD NO CLUE.

Years ago, there were many warnings on and off the Hill. Regulators, economists and many others sounded the alarm that allowing an entire financial industry to exist without regulations was a bad idea. However, the standard responses were: regulations are bad, the market will police itself, we can trust our Hedge fund managers. Well, look at what has happened. AIG failed to accurately assess and hedge their risks. Dozens of financial institutions have gone under and hundreds more are at risk. Hedge fund managers have admitted to running a crooked game.

The lesson is clear, systems and the people who work within them are not self-policing. Shocker. I am sure Machiavelli and Juvenalis are laughing at the continuing naivete of the human race.

Now, right now, we have a very similar pattern emerging in information technology. Institutions around the world are virtualizing like crazy. IT is deploying the vast majority of these virtual infrastructures without any of the protections I recommend here. PCI, HIPAA, SOX, you name it, these IT Groups are putting sensitive data about you and me, valuable data worth billions of dollars is at risk.

Where are the Guardians?

The Guardians are out to lunch, they missed the memo, they drank the Kool-aid from the platform vendors.

People like myself, Chris Hoff, Greg Ness, Ian Pratt, Brandon Baker and many others are sounding the alarm.

It's time for the Guardians to get to work. It's time for the IT security team to get off their butts and start addressing this issue.


Tuesday, December 9, 2008

Registrar's are still a weak link

Very nice article on the hack against Check Free here.

Current theories center on the likelihood that a Check Free employee got suckered by a phishing or straight-up social engineering attack.

I'm going to hazard a guess that this was a spear-phish or more targeted form of attack. A quick search of Linkedin, Facebook and other social networking applications finds a treasure trove of CheckFree/Fiserv employees.

It's a small step to go from these links to a targeted attack against Fiserv IT staff.

However, as the article notes Fiserv was not the only target in this attack and Financial Institutions (FI) are dangerously reliant on a single registrar.

My recommendations:
  1. FI's and others must monitor and protect themselves from domain hijack -- I recommend Pharming Shield.
  2. Get social networking applications out of the data center, IT personnel must not use corporate resources (including email) to access these sites
  3. The Financial Industry is at risk from a single-point of failure at Network Solutions. This must be addressed through community efforts and directly by the platform providers.
Happy Holidays!