CircleID

What the author described is an illegal intercept (basically, a wiretap), rather than phishing, which occurs out of band to the enterprise. Its a bad idea to try to conflate these terms.

Security engineers and "experts" think they understand networking. In reality, most security experts understand host security quite well. They falter when they must deal with true network security issues, such as securing network infrastructure. The usually just ignore routers and switches - a big mistake.

Use of the Secure IOS template at cymru.com will solve many of the common enterprise router security issues. 

Daniel,

You are right on the mark with your assessment. Although this not phishing in the "traditional" method, it is a means to an end. It was not my intention to conflate the terms, only to show there are other methods of achieving the same objective (In this case, Phishing).

You are also correct in your assessment of the majority of security engineers. Many of the most basic, non-host based issues are overlooked. This is why I tend to become engaged as a second or third opinion. I have an extensive background in networking and many OS platforms. Most of the security flaws / configuration issues I find are initially overlooked because of lack of experience with a broad range of technology and the inability to look at networks and networked systems with a broad scope.

DWM

The real question here is - are these network vulnerabilities a greater threat than someone posing as a telephone company employee and installing a wiretap?  Could the bank avoid the problem by using an ISP that is more concientious about the security of their routers and DNS servers, or do these problems affect all ISPs?

David,

it is certainly the case that some ISPs are better than others in network security areas, it would be surprising if it was otherwise.

I did a DNS review for a large merchant bank, and as part of that I reviewed (without intrusive scanning) the security of the DNS servers providing domain services for a selection of about 30 domains owned by the bank in a diverse set of countries (and the security of the parent domains, right back to the root DNS servers).

There were huge differences, providers failing to provide suitable redundancy, providers running servers with known vulnerabilities, domains with inappropriate dependencies on a wide range of servers, versus providers who provided both suitable redundancy, and up to date software.

In this instance the review was tightly focused on the domain name service, because that is what the client was interested in improving, but I'm confident similar surveys in other areas would produce similar results.

The company that hired me to do the analysis was one such supplier, and one of those who "did it right", but I guess that is why they were chosen to manage the review process.

However attempts to "sell" this knowledge to banks (and others) for my own business benefit was less successful, but that may be that I'm a techy, and not a salesman.