Businesses spend a lot of time and money creating information security systems, but they often overlook physical security measures. The ease with which a security consultant managed to trick his way into a FTSE financial firm and help himself to confidential data is a warning to businesses.
Colin Greenlees was asked by a director of the financial company to check out its office security. He had no inside help and used no specialist equipment. But by using social engineering techniques, he was able to trick his way in to the office and access confidential data.
According to Gartner, businesses will spend $44.6bn globally on security software, services and equipment to protect data within the IT infrastructure. But Greenlees, a consultant with Siemens Enterprise Communications, says, "High-tech protection systems are completely ineffectual against social engineering attacks."
Greenlees' social engineering attack
- He spent his first morning watching people entering and leaving the premises of his target company to get an idea of security in reception.
- After lunch on that first day he gained access by tailgating people as they swiped their access cards. He pretended to be on the phone and signalled to people that he wanted the third floor.
- Greenlees entered a glass-walled meeting room, calmly hung up his jacket and started to work on his laptop. Within 20 minutes he had seen a confidential document left on a desk. It concerned the merger of two well-known companies worth £434m.
- He accessed different floors, rooms, store rooms and filing cabinets, and found more confidential information on desks. He used tricks such as carrying two cups of coffee so that people would open security doors for him.
- Greenless gained access to the data room by pretending to conduct a security audit. He was given information about the company's network and was able to plug his laptop in as a result. This gave him access to confidential customer, employee and company data.
- He got hold of an internal phone directory and, using an internal phone, pretended to be an IT support worker. He managed to get usernames and passwords from 17 of the 20 people he asked.
- Greenless befriended first security staff, which helped him to smuggle another, more technical, consultant in to help him analyse IT systems.
Richard Swann, head of IT at the Institute of Directors, says it is important for companies to educate staff about the risks of social engineering attacks.
"It is relatively easy for someone who knows what they are doing to gain access to an office. All spending on IT security will be wasted if someone can just walk out with a laptop containing confidential information," he says. "People have to be educated. This includes being told not to be afraid of asking people who they are."
One IT head at an NHS trust, who asked to remain anonymous, says it is not just office buildings that offer an opportunity for criminals to infiltrate IT systems.
"We had penetration testers working remotely by calling our IT helpdesk and tricking them into giving them information," he says. They discovered that anyone could have people's passwords reset over the phone to a password they knew by providing the helpdesk with the person's first initial and surname. "We were not doing secondary validation, but we do now."
Insider threats are often a serious risk to any business, but when an outsider gains the same privileges as an insider, the potential damage is much greater.