Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Equifax Canada (Paul D. Robertson)
--__--__--
Message: 1
Date: Mon, 20 Jun 2005 08:53:07 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Adrian Grigorof <adi@grigorof.com>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Equifax Canada
On Mon, 20 Jun 2005, Adrian Grigorof wrote:
> Apparently this was caused by "improper use of a customer's access codes and
> security password". Can Equifax force its customers (basically all the
> credit institutions and many others) to use a method of authentication
> stronger than a user id/password combination? To quote a recent post from
Sure they can- the credit bureaus are close to a monopoly, they just need
to all agree on a standard and make all their customers use it.
> Marcus J. Ranum:
>
> > How many of you could tell your customers *that*?! People scream
> > and whine over the idea of putting firewalls in (still) - now, attempting
> > to enforce a local policy against a business partner - that's patently
> > ridiculous. Right? Well, technically it's NOT ridiculous, but everyone
> > has basically blown it off.
>
> It is surely cheaper to call 600 customers once a year (ok, make that twice
> a year) than enforcing an expensive authentication infrastructure. Is it not
> a basic principle in IT security that the cost of securing same data should
> be less than what that data is worth? It is true, they loose some
Which is why we need to make it more expensive for them to lose the
data...
> credibility but since they have almost monopoly on the credit checking
> business (there is only one other company) that's still cheaper than
> changing the authentication process. Some heads will probably roll but I
> doubt there will be any major changes and I expect they will be in the news
> again sometime in the future... Besides, compared to 40 million credit
> cards, 600 credit reports are not that bad, eh? Go Canada ;)
>
> If I am not mistaken, the previous incident (March 2004) was a case of
> "criminals masquerading as credit grantors" but I bet the firewall guy(s)
> were again the scapegoats:(
If they didn't produce "this is the risk of allowing this traffic through
the firewalls" in writing, then they *should* be the scapegoats, if they
did, then whoever said "I accept this risk" should be.
We have to stop treating security as a service industry in companies and
start treating it as a fiduciary repsonsibility. The firewall *should* be
a hurdle to business, and business should be happy to have that hurdle-
make it over and you should have some level of assurance that you're doing
better than average, plow through it and you should be penalized.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment