North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

OT: Re: User negligence?

  • From: Len Rose
  • Date: Sun Jul 27 00:58:45 2003


I humbly disagree. It is not user negligence, but rather neglgence on 
behalf of the entity's systems team, or perhaps the entity's failure 
to support their own systems team by hiring competent staff instead
of relying on people who play office politik or look nice in a suit 
and tie. User's are not expected to be secure their machines, or
even barely know more than how to use a handful of applications. 
In the bank's case hopefully they are supposed to be financial experts.

One can also  blame the entity for basing their operations on a joke
operating system of course (tired argument).

Not calling it a breach of security is simply.. ridiculous. It is a
most flagrant breach of security if they can't even secure their own
internal networks and systems. Host level security should be the
easiest thing to accomplish given competent systems staff.

The entity should have had a team in place that protected systems,
disabled vulnerable services running on the joke operating system,
and that stayed on top of any threat no matter what day of the week
it happened to be. 

Nothing like berating the obvious.

This is off topic and I'm not going to pursue this further on
this list.


Sean Donelan said:

> Unfortunately there are a lot, and growing number, of self-infected PCs
> on the net.  As the banks point out, this is not a breach of the bank's
> security. Nor is it a breach of the ISP's security.  The user infects
> his PC with a trojan and then the criminal uses the PC to transfer money
> from the user's account, with the user's own password.
> "The fact that hackers got access to bank customer's accounts was not due
> to inadequate security at the bank, but due to "user negligence", an
> e-commerce company said on Thursday.
> [...]
> "Consumers should be vigilant when opening emails. If they receive strange
> emails, or emails from people or companies they do not know, it is better
> not to open the mail - especially attachments. These intrusions were
> clearly not a result of any vulnerability in Absa's Internet security."