I recently read an article about how hackers from the Russian mob methodically staked out a Marshals, hacked into their weakly protected wifi network, and once in wandered into the corporate mothership network and stole at least 45 million credit card numbers. They were helped largely because:
–the wifi network was only lightly encrypted
–user names and passwords were being passed around in plain text over the network
–the credit cards were stored un-encrypted
–file transfers were done in the clear
–there was no dmz between the remote department stores and the corporate network
I remember a couple of years ago when my employer went through a dramatic tighening of security–mandating that all file transfers inside the company be done over SCP instead of FTP, all shell access over SSH instead of telnet, all passwords stored in encrypted files. We all gripped and grumbled because it made life harder. After all, if someone’s in our network we’ve got bigger troubles, right?
This story is a good reminder why it’s worth the effort. You really can’t rely on just one layer of protection when it comes to security.
