Comments on: The wrong kind of empowerment reduces security and puts the organization at risk http://securityviews.com/blog/2008/01/27/security-trumps-employee-empowerment/ Actionable security ideas for managers. Fri, 05 Dec 2008 16:16:25 +0000 http://wordpress.org/?v=2.0.2 by: Scott http://securityviews.com/blog/2008/01/27/security-trumps-employee-empowerment/#comment-3872 Wed, 30 Jan 2008 11:37:35 +0000 http://securityviews.com/blog/2008/01/27/security-trumps-employee-empowerment/#comment-3872 Over at BlogInfoSec.com (click on http://www.bloginfosec.com/2008/01/30/french-trader-jerome-kerviel-spoofed-emails-to-legitimize-fake-transactions/ ), Kevin has provided a Babelfish translation of some of the testimony of the French trader. As most people have realized at some point, it is often possible to change plaintext email messages without detection. While I have a certain amount of experience with Public Key Infrastructure, I try not to be a PKI Policy-Thumper in proposing digital signatures as a solution to everything. One of the biggest users of PKI technology for protecting the confidentiality and integrity of "large-value transactions" is ...drum roll please... THE FINANCIAL INDUSTRY! The reason for this is that it is rather expensive to set up the infrastructure needed (Certificate Authority, LDAP Directory, Registration Authorities - all governed by documented policies and practices). But when you get into large value financial transactions that NEED INTEGRITY, it makes good business sense to use PKI as a preventative and detection safeguard. If companies like, say ENTRUST (a PKI vendor with a good product for such purposes), don't make good use of this example to tip a few license sales, they might need some new suits for their Sales Teams. This is their bread and butter. Of course, same goes for the CIO and/or Chief Security Officer of any financial institution that doesn't use appropriate safeguards to protect such high value financial transactions. Over at BlogInfoSec.com (click on http://www.bloginfosec.com/2008/01/30/french-trader-jerome-kerviel-spoofed-emails-to-legitimize-fake-transactions/ ), Kevin has provided a Babelfish translation of some of the testimony of the French trader. As most people have realized at some point, it is often possible to change plaintext email messages without detection.

While I have a certain amount of experience with Public Key Infrastructure, I try not to be a PKI Policy-Thumper in proposing digital signatures as a solution to everything. One of the biggest users of PKI technology for protecting the confidentiality and integrity of “large-value transactions” is …drum roll please… THE FINANCIAL INDUSTRY! The reason for this is that it is rather expensive to set up the infrastructure needed (Certificate Authority, LDAP Directory, Registration Authorities - all governed by documented policies and practices). But when you get into large value financial transactions that NEED INTEGRITY, it makes good business sense to use PKI as a preventative and detection safeguard.

If companies like, say ENTRUST (a PKI vendor with a good product for such purposes), don’t make good use of this example to tip a few license sales, they might need some new suits for their Sales Teams. This is their bread and butter.

Of course, same goes for the CIO and/or Chief Security Officer of any financial institution that doesn’t use appropriate safeguards to protect such high value financial transactions.

]]> by: Sue Massey http://securityviews.com/blog/2008/01/27/security-trumps-employee-empowerment/#comment-3799 Mon, 28 Jan 2008 01:52:46 +0000 http://securityviews.com/blog/2008/01/27/security-trumps-employee-empowerment/#comment-3799 I found your site on google blog search and read a few of your other posts. Keep up the good work. Just added your RSS feed to my feed reader. Look forward to reading more from you. - Sue. I found your site on google blog search and read a few of your other posts. Keep up the good work. Just added your RSS feed to my feed reader. Look forward to reading more from you.

- Sue.

]]>