countrywide learns that it just takes one

I mostly missed this whole Countrywide data theft scandal, but I’m catching up! As Rothman pointed out:

…Rebollo told special agents that he knew most computers in the office had a security feature that disabled the use of a thumb drive. However, he discovered that one computer didn’t have this feature.

There are two possibilities here, the latter of which I might think is the real reason.

1. The system simply got skipped/missed. Repeatedly. Over the course of two years. I’d have to call bullshit on this one unless their IT is inept or dangerously overworked.

2. Someone, somewhere complained about the inability to use thumbdrives to move data, most likely involving a client or VP/exec. So IT set up a special system that was exempt from the security measures but still allowed on the network, because business wanted that convenience.

I really like what Rothman said in his post:

And there you have it. The weakest link is always the one that gets nailed. Moreover, the policy isn’t worth the paper it’s written on, if it’s not enforced. Seriously. Countrywide gets an A for preventative controls. But they get an F for implementation. As my friend told me when I was trying to sell my house, “it only takes one.” I guess Countrywide gets that now too.

And that is why we will continue to need people to watch logs, alerts, and make sure every device is accounted for. Getting “most” of them is simply not a sustainable security approach.

Oh, and if you want to know the best ways to get around security controls in a business, interview the average employees. They find the ways, unbeknownst to non-monitoring IT/security teams.