On 04/27/2011 02:49 PM, Andrew McNabb wrote: > On Wed, Apr 27, 2011 at 02:30:25PM -0600, Daniel Fussell wrote: >> In the worst case, >> the business may not open it's doors tomorrow. Don't believe me? I >> watched an $800 million company disappear literally overnight due to one >> board member's lack of respect for security and common sense. > This sounds fascinating. What company was it? What happened? (if you > can't share, then the anecdote can't help make us believe you :) > I suppose I probably can share, now that the company is dead and gone. And most of the information is public anyway. I'll give you three examples showing damage by employee and damage by officer/director in the same company. It's kind of a long-ish story, and I've only found out some of the more damning details recently, though I have had the gist of the he-said-she-said for well over a year now.
On the employee side: Sometime shortly before 2004, there was once a man who was head of security for a respected local bank which had been around over 100 years (the bank that is, not the man). Head of security is a position floating in the large abyss that separates the tellers on the low side, from the officers on the high side. He saved up some money, got an SBA loan, and opened a business selling high-end ice cream with "mix-ins" to high school students with rich parents. It was in a great location, less than 100 yards from his day job. Business was good initially, but then the business started losing money. After a while he had to start working overtime in his primary industry to make up the difference. That is to say, he started robbing the other banks in the area. Then he improved his perceived value at his day job by recording the news reports of the robberies with the attending security camera footage. He would use these in his teller trainings, showing what mistakes the tellers of the victim institutions made that allowed the robbery to happen. This teller didn't look up and make eye contact with the fugitive as he came through the door. This teller was wrapped up in her racy novel. This head teller wasn't watching the tellers. This teller picked her nose while in view of the security camera. You get the idea. It took a while, but the investigators eventually caught on, and nailed him. Oh the media fanfare! Oh the irony, that he worked for a respected bank! As a security officer no less! Ha ha ha. But life was not so fun for the bank. It had lost some good-will with it's loyal, long-time customers. Now they needed a new security officer, and worse, the state and federal bank examiners decided it would be a grand idea, in light of the employee relationship, to increase the number of annual audits from 1 to 6. Each audit takes about 3 or 4 weeks. Each takes significant amounts of officer's time to prove there is nothing wrong going on. And then prove it again when the examiners make their reports to the board of directors and the state and federal regulators. You can see how much production is lost when half your year is wasted with a bunch of nincompoops. (Disclaimer: I have no love for bank auditors, when a few of them show up on my firewall/content filter logs as surfing gay porn all day, and talk about how excited they are to be going to France for a sex change. No, I'm not kidding. Is there any wonder why our economy is the way it is? Not to mention another auditor that complains they can connect to the bank's unsecured wireless, but can't get to the Internet and they can report the bank's sensitive information to the home office. Imagine their surprise to find out the bank doesn't use wireless, for security reasons, and they were connecting to an architecture firm across the street with a wide open router. Nope, no warm, fussy feelings here.) It took a few years for the auditors to gradually accept there was nothing wrong and drop back to 2 audits a year. But oh, the lost productivity of high paid executives during that time. Still, the bank survived it. A more IT related example: There was the head teller, about 20 or 21 years old, that demanded each teller give him their passwords by virtue of him being their supervisor. Which he then used to steal money. Whether it was from the teller's tills, or customer accounts I don't know. It didn't take long to find out about it and catch him. He went to jail, there was no media fanfare, the bank survived. It is surprising with all the security training the tellers routinely have to go through, that they still handed over their passwords on demand. On the officer/board of directors side: Well, this is a longish story that I have no desire to recount myself. Most of it happened after I left the company. While this is mostly on the social side of failure, (not so much on technology, or an engineered attack) it does underscore what a director and/or private shareholder can do with minimal direct information access and their own word processor. http://www.allbusiness.com/company-activities-management/financial-performance/14016976-1.html I will add my personal view having seen the inside (I wrote some of the systems designed to guard against total bank meltdown by limiting risk in various areas), and what I've gathered since then. I know each of the officers, and a couple of the board of directors. I have a great deal of respect for those that I know. I kept tabs on the bank after I left as I had a healthy chunk deposited there, as did some of my extended family. The bank was a privately held, family owned bank. All of the shareholders were Barnes relatives (cousins and what-not). This bank survived the Great Depression, the savings and loan scandals in the late 70's and resultant recession, the dot-com recession, and several large loan losses when businesses went corrupt or bankrupt in-between. But it couldn't survive a whiny librarian and a power-hungry investment banker. When you read about Curt telling the shareholder(s) that the media had gotten a hold of their letter, I'm afraid the details have been glossed-over. As I understand it, the librarian sent copies of the letter to the media, trying to force a change in power, causing the bank run. While most of the shareholders were content to ride things out with the current experienced directors and management, the librarian and investment banker were not. They tried to replace the board with people that would fire the CEO, and any other officer they deemed worthy. Though the bank was not profitable, and would not pay the 3% dividend the shareholders (family) had become used to, I think it still would have survived and eventually turned profitable again. But banks don't usually survive bank runs, and the FDIC really doesn't like it when the board of directors and the bank management aren't seeing eye-to-eye. So there's my take. Some of it is probably biased, having been on the outside for most of it, and not being a shareholder myself. It's not much different than other stories you've probably heard, but it is a prime example of how technology systems and policies often times cannot protect against against stupid people with position and minimal access. On the lighter side, I imagine the Barnes family reunions will be much more interesting now. At least for those two people anyway. Grazie, ;-Daniel Fussell -------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
