The San Francisco Chronicle notes that you can easily fool American bank employees with a uniform and a webpage:

With a startling success rate, security researchers disguised as fire inspectors, exterminators or government safety monitors were able to slip past tellers in nearly 1,000 bank branches and steal confidential data about customers, according to a study being released Tuesday.

Startling indeed. It begs the question of why tellers are so unaware or unconcerned.

Using little more than simple disguises, basic e-mail trickery and smooth talking, the researchers from Baton Rouge, La.-based TraceSecurity Inc. walked off with loan applications, laptops, backup tapes of customer databases and even big computer servers that they simply carried out the front door.

The bottom line is that there is an education and training issue here. I disagree with the following conclusion:

But it illustrates something provocative about the way security has changed with the rise of the Internet, which has shifted so much of the attention and dollars spent on security toward computer networks and threats from hackers. That has in many cases led to less training for employees on how to prevent physical breaches, Stickley said.

False correlation. The change is not directly a result of the Internet but more likely from a shift in American business and banking culture. Tellers used to be far more vested in the welfare of their company and were far more qualified for the job. The cost of education was undervalued by banks, which led them to cut corners and hire more temporary, unskilled and contract/outsourced workers. The new model appears to be based on an assumption that no one will exploit frail (not to be confused with inexpensive) defenses, or if they do that the cost of liability transfer will still be below the cost of maintaining skilled and security-aware employees.

Stickley said the easiest disguise to pull off was the fire inspector, because with just a uniform and a badge, researchers were often given deep access to a facility even without an appointment beforehand. The other ruses were harder, requiring more advance planning with fake Web domain name registration and phony e-mails alerting employees that an exterminator would be coming by.

What this really shows is a much greater problem than physical security. In the next years far more scrutiny will be paid by regulators to the trust model that financial institutions have setup for partners, vendors, and other service providers. Outsourcing might have solved a financial riddle, but that was before the cost of security and compliance were factored properly.

Dark Reading seems to be an advertising site. Every time I read an article there it feels more like a vendor press release than anything insightful or balanced. That being said, I have not found mention of this anywhere else (yet):

The first set of metrics that the CIS will release tomorrow for download are: mean time between security incidents; mean time to recover from security incidents; percentage of systems configured to approved standards; percentage of systems patched to policy; percentage of systems with anti-virus; percentage of business applications that had a risk assessment; percentage of business applications that had a penetration or vulnerability assessment; and percentage of application code that had a security assessment, threat model analysis, or code review prior to production deployment.

This would be a very useful set of data, indeed. In fact, it mirrors a set of questions I proposed for the survey at the Protect ’08 conference in Washington DC. My questions were not chosen for the survey, unfortunately, or they would have coincided with this CIS press release. Oh well.

A universal grading system is a bit pie-in-the-sky for me. How many schools have how many interpretations of grading after how many years and yet CIS believes they will crack the code of a common security grading system?

A story on Forbes called Inside The UAL Story Debacle provides some insight to today’s information security disaster. In brief, an “investor information service” reporter used a search engine and uncovered an old story on UAL bankruptcy. The problem was that the story was over six years old but the reporter filed the story online as current events.

Ooops:

Minutes after the story was filed, Lehmann, a Forbes columnist, was alerted to a problem when non-subscribers jammed his switchboard with requests for the full text. “We’re not in the business of providing fresh news,” Lehmann says. “And consequently, we knew there was something wrong here.” Lehmann said his employee was not negligent in picking up the Sun-Sentinel story because it had no date on it and appeared current beside new content tracking Hurricane Ike in the Southeastern U.S.

This is a silly line of reasoning. It reminds me of the lawsuit against McDonald’s for hot beverage warning labels. Does a reporter really need warning signs on the page, within the article, or perhaps even blinking in order to figure out what time it is? The Forbes report suggests there were numerous references to 2002, including the URL, but the reporter clearly missed all of them. Unfortunately, once the bad data was filed it spread like a virus into markets and caused a melt-down for UAL shares.

This UAL disaster is similar to shouting “fire” in a crowded theater. It is an excellent example of how powerful information technology has become, especially in terms of magnifying human errors — the Internet is always crowded.

A simple solution, such as checking the official UAL site, could have averted the disaster in security and fact-oriented populations. However the reality is that facts fly out the window when everyone starts running for the door. A more likely focus will instead be on how to criminalize or at least dissuade speech that is directed and likely to incite a technology riot.

In related news, Google has announced it is expanding search to historic newspapers…