A man recently walked off the street and into a FTSE financial services firm where he set up shop and gained access to his first highly sensitive document within 20 minutes.
Colin Greenlees, a security consultant at Siemens Enterprise Communications, was asked by a director of the financial companyto check out its office security. He had no inside help and used no specialistequipment, he simplyrelied on social engineering techniques.
He spent a week in the building undetected, during which the following took place:
- Greenlees spent the first morning watching people entering and leaving the premisesto get an idea of security in reception.
- After lunch on that first day he decided to gain access by tailgating people as they swiped their access cards. He pretended to be on the phone and signalled to people that he wanted the third floor.
- He entered a glass meeting room, calmly hung up his jacket and started to work on his laptop.
- Within 20 minutes he had seen a confidential document, which had been left on a desk. It concerned the merger of two household names worth £434m.
- He accessed different floors, rooms, store rooms andfiling cabinets, and found information on desks. He used tricks such as holding two cups of coffee so people would open normally secure doors for him.
- He gained access to the data room by pretending to carryout a security audit. He was given information about the company's network and was able to plug his laptop in as a result. This gave him access to confidential customer, employee and company data.
- Greenlees got hold of an internal phone directory and, using an internal phone, he pretended to be an IT support worker. Hemanaged to get usernames and passwords from 17 of the 20 people he asked.
- He even smuggled another, more technical, consultant in to help him analyse IT systems.
- Greenlees was soon on first name terms with security staff.
- Greenlees does this sort of thing all the time as part of his job, but he warned that there are also specialist criminals making a career out of it.
Businesses are exposing confidential information about their customers, staff and their own financial situation to anybody willing to use social engineering tricks to gain access into offices.
"Social engineering is a form of the old-fashioned confidence trick, in that it is principally concerned with manipulating people into performing actions or divulging confidential information that they would not normally reveal," said Greenlees.
"High-tech protection systems are completely ineffectual against such attacks. Most employees are unaware that they have been manipulated," he added.
"Social engineering that tricks genuine employees into providing access to confidential data is a fast-growing issue. It is important that senior executives understand how easy this is, but also how they can effectively counter the threat by practicing what they preach," said Greenlees.
Greenlees recommends that businesses do the following:
- Strengthen physical perimeter security to reduce the risk from unauthorised physical access due to poor access control procedures and visitor management.
- Introduce policies so all requests from people within the building are backed up with identity verification.
- Increase training and awareness to inform users about the common techniques and strategies used by social engineers.
- Identify critical information assets and their associated handling instructions.
- Educate staff on the importance of locking away documents that are not in useto prevent data breaches.