Good story On Wed, Apr 27, 2011 at 6:09 PM, Daniel Fussell <dfuss...@byu.edu> wrote:
> On 04/27/2011 02:49 PM, Andrew McNabb wrote: > > On Wed, Apr 27, 2011 at 02:30:25PM -0600, Daniel Fussell wrote: > >> In the worst case, > >> the business may not open it's doors tomorrow. Don't believe me? I > >> watched an $800 million company disappear literally overnight due to one > >> board member's lack of respect for security and common sense. > > This sounds fascinating. What company was it? What happened? (if you > > can't share, then the anecdote can't help make us believe you :) > > > I suppose I probably can share, now that the company is dead and gone. > And most of the information is public anyway. I'll give you three > examples showing damage by employee and damage by officer/director in > the same company. It's kind of a long-ish story, and I've only found > out some of the more damning details recently, though I have had the > gist of the he-said-she-said for well over a year now. > > On the employee side: > > Sometime shortly before 2004, there was once a man who was head of > security for a respected local bank which had been around over 100 years > (the bank that is, not the man). Head of security is a position > floating in the large abyss that separates the tellers on the low side, > from the officers on the high side. He saved up some money, got an SBA > loan, and opened a business selling high-end ice cream with "mix-ins" to > high school students with rich parents. It was in a great location, > less than 100 yards from his day job. Business was good initially, but > then the business started losing money. After a while he had to start > working overtime in his primary industry to make up the difference. > That is to say, he started robbing the other banks in the area. > > Then he improved his perceived value at his day job by recording the > news reports of the robberies with the attending security camera > footage. He would use these in his teller trainings, showing what > mistakes the tellers of the victim institutions made that allowed the > robbery to happen. This teller didn't look up and make eye contact with > the fugitive as he came through the door. This teller was wrapped up in > her racy novel. This head teller wasn't watching the tellers. This > teller picked her nose while in view of the security camera. You get > the idea. > > It took a while, but the investigators eventually caught on, and nailed > him. Oh the media fanfare! Oh the irony, that he worked for a > respected bank! As a security officer no less! Ha ha ha. But life was > not so fun for the bank. It had lost some good-will with it's loyal, > long-time customers. Now they needed a new security officer, and worse, > the state and federal bank examiners decided it would be a grand idea, > in light of the employee relationship, to increase the number of annual > audits from 1 to 6. Each audit takes about 3 or 4 weeks. Each takes > significant amounts of officer's time to prove there is nothing wrong > going on. And then prove it again when the examiners make their reports > to the board of directors and the state and federal regulators. You can > see how much production is lost when half your year is wasted with a > bunch of nincompoops. (Disclaimer: I have no love for bank auditors, > when a few of them show up on my firewall/content filter logs as surfing > gay porn all day, and talk about how excited they are to be going to > France for a sex change. No, I'm not kidding. Is there any wonder why > our economy is the way it is? Not to mention another auditor that > complains they can connect to the bank's unsecured wireless, but can't > get to the Internet and they can report the bank's sensitive information > to the home office. Imagine their surprise to find out the bank doesn't > use wireless, for security reasons, and they were connecting to an > architecture firm across the street with a wide open router. Nope, no > warm, fussy feelings here.) > > It took a few years for the auditors to gradually accept there was > nothing wrong and drop back to 2 audits a year. But oh, the lost > productivity of high paid executives during that time. Still, the bank > survived it. > > A more IT related example: > > There was the head teller, about 20 or 21 years old, that demanded each > teller give him their passwords by virtue of him being their > supervisor. Which he then used to steal money. Whether it was from the > teller's tills, or customer accounts I don't know. It didn't take long > to find out about it and catch him. He went to jail, there was no media > fanfare, the bank survived. It is surprising with all the security > training the tellers routinely have to go through, that they still > handed over their passwords on demand. > > On the officer/board of directors side: > > Well, this is a longish story that I have no desire to recount myself. > Most of it happened after I left the company. While this is mostly on > the social side of failure, (not so much on technology, or an engineered > attack) it does underscore what a director and/or private shareholder > can do with minimal direct information access and their own word processor. > > > http://www.allbusiness.com/company-activities-management/financial-performance/14016976-1.html > > I will add my personal view having seen the inside (I wrote some of the > systems designed to guard against total bank meltdown by limiting risk > in various areas), and what I've gathered since then. I know each of > the officers, and a couple of the board of directors. I have a great > deal of respect for those that I know. I kept tabs on the bank after I > left as I had a healthy chunk deposited there, as did some of my > extended family. The bank was a privately held, family owned bank. All > of the shareholders were Barnes relatives (cousins and what-not). This > bank survived the Great Depression, the savings and loan scandals in the > late 70's and resultant recession, the dot-com recession, and several > large loan losses when businesses went corrupt or bankrupt in-between. > But it couldn't survive a whiny librarian and a power-hungry investment > banker. When you read about Curt telling the shareholder(s) that the > media had gotten a hold of their letter, I'm afraid the details have > been glossed-over. As I understand it, the librarian sent copies of the > letter to the media, trying to force a change in power, causing the bank > run. While most of the shareholders were content to ride things out > with the current experienced directors and management, the librarian and > investment banker were not. They tried to replace the board with people > that would fire the CEO, and any other officer they deemed worthy. > > Though the bank was not profitable, and would not pay the 3% dividend > the shareholders (family) had become used to, I think it still would > have survived and eventually turned profitable again. But banks don't > usually survive bank runs, and the FDIC really doesn't like it when the > board of directors and the bank management aren't seeing eye-to-eye. > > So there's my take. Some of it is probably biased, having been on the > outside for most of it, and not being a shareholder myself. It's not > much different than other stories you've probably heard, but it is a > prime example of how technology systems and policies often times cannot > protect against against stupid people with position and minimal access. > > On the lighter side, I imagine the Barnes family reunions will be much > more interesting now. At least for those two people anyway. > > Grazie, > ;-Daniel Fussell > -------------------- > BYU Unix Users Group > http://uug.byu.edu/ > > The opinions expressed in this message are the responsibility of their > author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. > ___________________________________________________________________ > List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list > -- Bryce
-------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list