Monday, February 04, 2008
Bank robbery con jobs treat incident response as a joke
Bank robbery con jobs treat incident response as a joke
16 Jan 08 -- We all know a few "guy walks into a bar..." jokes. But in this story, it's "guy walks into a bank," and the joke may be on you -- or on an Incident Response Policy that is, well, laughable.
Open on: A branch of BB&T Bank in Maryland, on an average Wednesday morning. A man wearing what resembles the proper uniform tells the bank he is the substitute courier from their armored car vendor, and walks out with a half million dollars in cash. The simple ruse works so well that we... Cut to: A Wachovia bank branch in Washington, D.C., where the social-engineering bank robbers do it again the next day. In fact, the ruse holds up in each case until the real armored car personnel show up for the daily cash deposit -- which the tellers have already given away.
A Brinks guard discovered the second theft an hour after it happened. He waited until he returned to his office to inform his supervisors. Brinks officials contacted the bank branch, where eventually the branch manager contacted the police -- almost 11 hours after the robbery took place. (Somehow I doubt that "giving criminals generous head starts" is what those Wachovia ads mean when they say, "We're here to help.")
These banks must have an Incident Response Policy (IRP) somewhere. They are required to do so, in order to pass audits and federal regulations. Brinks probably has one, too. For that matter, you and I probably have one at our respective workplaces. But clearly the policy failed when the employees who were first-responders had to implement it. What went wrong? We can only speculate, but the likely problems are familiar: The employees were not aware of the policy. Or no one had ever rehearsed implementing the policy. A typical IRP lists who should be notified in an emergency, in the order they should be contacted. Maybe the policies were so out-of-date that the people listed in them no longer worked for the bank, or had changed their phone numbers, or....
Bottom line: If you want your IRP to be taken more seriously than a "guy walks into a bar" joke, you should review it periodically. Verify that it's still realistic, up to date, and familiar to your employees. "Guy walks into a bar" is funny. But what the guy walks out with might be no laughing matter. -- D. Scott Pinzon, CISSP
Copyright© 2008 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.
16 Jan 08 -- We all know a few "guy walks into a bar..." jokes. But in this story, it's "guy walks into a bank," and the joke may be on you -- or on an Incident Response Policy that is, well, laughable.
Open on: A branch of BB&T Bank in Maryland, on an average Wednesday morning. A man wearing what resembles the proper uniform tells the bank he is the substitute courier from their armored car vendor, and walks out with a half million dollars in cash. The simple ruse works so well that we... Cut to: A Wachovia bank branch in Washington, D.C., where the social-engineering bank robbers do it again the next day. In fact, the ruse holds up in each case until the real armored car personnel show up for the daily cash deposit -- which the tellers have already given away.
A Brinks guard discovered the second theft an hour after it happened. He waited until he returned to his office to inform his supervisors. Brinks officials contacted the bank branch, where eventually the branch manager contacted the police -- almost 11 hours after the robbery took place. (Somehow I doubt that "giving criminals generous head starts" is what those Wachovia ads mean when they say, "We're here to help.")
These banks must have an Incident Response Policy (IRP) somewhere. They are required to do so, in order to pass audits and federal regulations. Brinks probably has one, too. For that matter, you and I probably have one at our respective workplaces. But clearly the policy failed when the employees who were first-responders had to implement it. What went wrong? We can only speculate, but the likely problems are familiar: The employees were not aware of the policy. Or no one had ever rehearsed implementing the policy. A typical IRP lists who should be notified in an emergency, in the order they should be contacted. Maybe the policies were so out-of-date that the people listed in them no longer worked for the bank, or had changed their phone numbers, or....
Bottom line: If you want your IRP to be taken more seriously than a "guy walks into a bar" joke, you should review it periodically. Verify that it's still realistic, up to date, and familiar to your employees. "Guy walks into a bar" is funny. But what the guy walks out with might be no laughing matter. -- D. Scott Pinzon, CISSP
Copyright© 2008 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.
# posted by raveneye @ 6:47 PM 
