North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Banc of America Article

  • From: Wayne E. Bouchard
  • Date: Sat Jan 25 23:10:57 2003

I think a basic point is being overlooked here..

B of A.. A company that handles untold amounts of cash on a daily
basis. Sure, there are valid needs for people to reach both the
internet and the corporate secure net from inside the company. Might
be very hard to get things done, such as doenloading and installing MS
SQL patches otherwise. But since databases in use supposedly contain
highly critical data, how did their servers get infected in the first
place? How did traffic get through to what ought to be designated a
secure port on a secure server? You would also expect that the MOST
critical servers would also be issolated within the secure net as
well, that is, network segmentation. (Just 'cause they're in the same
company doesn't mean the secretary in Ohio needs to access the servers
in San Diego.)

I think that it demonstrates shortcomings in the company's overall
network security policy. Things CAN be easily overlooked and this may
well be a case of something that just didn't get thought about (it
happens) but it deffinitely bears review by those involved, I should
think.

I mean, FDIC aside, if your money and account numbers, SS info, etc,
etc are in that database, wouldn't you want them to make a few
revisions?

And the scary thought for the night: How about the other banks? Credit
card companies? The credit agencies themselves? What vulnerabilities
exist in those agencies?


(Please note, it is not my intent to criticize the company or the
security folk. My hat goes off to any good security admin. These folks
generally do a good job of making sure that us losers can conduct our
menial business with a reasonable surety that there is no one listening
in.)

---
Wayne Bouchard
[email protected]
Network Dude
http://www.typo.org/~web/resume.html