Businesses spend a lot of time and money creating
information security systems, but they often overlook physical
security measures. The ease with which asecurity consultant managed to trick his way into a FTSE
financial firmand help himself to
confidential data is a warning to businesses.
Colin Greenlees was asked by a director of the financial company
to check out its office security. He had no inside help and used no
specialist equipment. But by using social engineering techniques,
he was able to trick his way in to the office and access
confidential data.
According to Gartner, businesses will spend $44.6bn globally on
security software, services and equipment to protect data within
the IT infrastructure. But Greenlees, a consultant with Siemens
Enterprise Communications, says, "High-tech protection systems are
completely ineffectual against social engineering attacks."
Greenlees' social engineering attack
- He spent his first morning watching people entering and leaving
the premises of his target company to get an idea of security in
reception.
- After lunch on that first day he gained access by tailgating
people as they swiped their access cards. He pretended to be on the
phone and signalled to people that he wanted the third floor.
- Greenlees entered a glass-walled meeting room, calmly hung up
his jacket and started to work on his laptop. Within 20 minutes he
had seen a confidential document left on a desk. It concerned the
merger of two well-known companies worth £434m.
- He accessed different floors, rooms, store rooms and filing
cabinets, and found more confidential information on desks. He used
tricks such as carrying two cups of coffee so that people would
open security doors for him.
- Greenless gained access to the data room by pretending to
conduct a security audit. He was given information about the
company's network and was able to plug his laptop in as a result.
This gave him access to confidential customer, employee and company
data.
- He got hold of an internal phone directory and, using an
internal phone, pretended to be an IT support worker. He managed to
get usernames and passwords from 17 of the 20 people he asked.
- Greenless befriended first security staff, which helped him to
smuggle another, more technical, consultant in to help him analyse
IT systems.
Richard Swann, head of IT at the Institute of Directors, says it
is important for companies to educate staff about the risks of
social engineering attacks.
"It is relatively easy for someone who knows what they are doing
to gain access to an office. All spending on IT security will be
wasted if someone can just walk out with a laptop containing
confidential information," he says. "People have to be educated.
This includes being told not to be afraid of asking people who they
are."
One IT head at an NHS trust, who asked to remain anonymous, says
it is not just office buildings that offer an opportunity for
criminals to infiltrate IT systems.
"We had
penetration testers working remotely by calling our IT helpdesk
and tricking them into giving them information," he says. They
discovered that anyone could have people's passwords reset over the
phone to a password they knew by providing the helpdesk with the
person's first initial and surname. "We were not doing secondary
validation, but we do now."
Insider threats are often a serious risk to any business, but
when an outsider gains the same privileges as an insider, the
potential damage is much greater.