Tuesday, July 1, 2008

Security 101: Locking Down Your Premises

Bank Infosecurity's Linda McGlasson has an excellent post over at her site today on what happened during a real-world, real-person penetration testing exercise at an (unnamed) financial institution.

I had had two discussions this week CSO at banks who said they are becoming overwhelmed with similar real-world security problems, like social engineering of their call-center staff and proper checking of vendors and hosting companies at the front desk.

The bottom line is that a lot of nice people just want to be nice - and that makes them easy targets for people looking to do "walk-in" style attacks. These nice people need to be better trained to understand that sometimes being nice involves being firm and inflexible.

In any case, locking down these vectors is the correct place to start. The correct prioritizing of security efforts involves first locking down the physical premises. Putting in place advanced network security is only effective in conjunction with a robust and wide-ranging set of security policies that includes every potential attack vector.

Linda's blog can be found here.

No comments: