Read this story about Jerome Kerviel, and get worried.
According to news reports this guy:
- “used his knowledge of the group’s security systems to conceal his fraudulent positions”
- “had worked for the bank since 2000 and earned a salary and bonus of less than $145,700”
- and perpetrated “a $7.14 billion fraud — one of history’s biggest”
That’s all pretty general – but, uh, when was your last security audit?
Some stuff from Microsoft that’ll help you:
“The Microsoft Security Assessment Tool, known as MSAT, is a free tool in that is localized in 16 languages. It is designed to help small to midsize organizations assess security weaknesses in their current IT environment. MSAT consists of over 200 security questions using a Defense-in-Depth framework reviewing the organization’s infrastructure, application, operations, and personnel. From the assessment, customer’s gain great insight into their security posture through a comprehensive report that consists of Microsoft and industry noted recommendations to help them prioritize their security activities. Partners can leverage this tool to provide additional value added security services for their customers and gain partner points for uploading encrypted customer results. For more information on the Microsoft Security Assessment Tool and the download location go to the Technet Security Tools website.”
Threats and Countermeasures Guide. “The Threats and Countermeasures guide provides you with a reference to all security settings that provide countermeasures for specific threats against current versions of the Windows operating systems. Many of the countermeasures that are described in this guide are not intended for specific computer roles in the companion guides, or in some cases for any roles at all.
The Windows Server 2003 Security Guide, which is available at http://go.microsoft.com/fwlink/?LinkId=14845, “provides specific recommendations about how to harden computers that run Windows Server 2003 SP1 in three distinct enterprise environments—one in which older operating systems such as Windows NT 4.0 and Windows 98 must be supported, one in which Windows 2000 is the earliest version of the Windows operating system in use, and one in which concern about security is so great that significant loss of client functionality and manageability is considered an acceptable tradeoff to achieve maximum security. “
The Windows XP Security Guide, which is available at http://go.microsoft.com/fwlink/?LinkId=14839, provides specific recommendations about how to harden computers that run Windows XP with SP2 in three distinct environments:
Enterprise Client (EC). Client computers in this environment are located in an Active Directory directory service domain and only need to communicate with systems that run Windows 2000 or later versions of the Windows operating system.
Stand-Alone (SA). Client computers in this environment are not members of an Active Directory domain and may need to communicate with systems that run Windows NT 4.0.
Specialized Security – Limited Functionality (SSLF). Concern for security in this environment is so great that a significant loss of functionality and manageability is acceptable. For example, military and intelligence agency computers operate in this type of environment.
Are you still reading? How about these?