Wednesday, May 13, 2009
Social Engineering Provides High-level Access
While this happened in the UK, the question we need to ask ourselves is, "could this happen in my bank?"
A security consultant at Siemens Enterprise Communications, Colin Greenless, used his social skills to not only enter a financial services firm that is listed on the Financial Times and Stock Exchange, but set up office. Being traded on an exchange, you know this wasn't a small company.
A man walking into a bank may be questioned. But a man carrying a clipboard may be able to just walk on through. He obviously has a purpose for being there. Greenless used his social skills to establish a temporary office in a meeting room on the third floor for several days. He had access to many more areas and floors of the building. He had access to store rooms, filing cabinets, confidential data left on desks, and he entered the company's data room, IT and telecoms network.
Greenless posed as an IT staffer. He noted that of 20 employees he called, 17 gave him their usernames and passwords which provided access to the closed network. How do you get in a locked door? You follow another employee while you have a coffee cup in each hand. Your "fellow employees" hold the doors open for you. By the time he was done, Greenless was even on a first name basis with one of the guards. At one point, Greenless even brought in another consultant who was able to do more analysis on the company's network.
You have to ask, what access does a person get to your facilities, and how? What verification procedures are in place to ensure that a person really belongs there? This should be a wake up call to some and a training scenario for others.
While this happened in the UK, the question we need to ask ourselves is, "could this happen in my bank?"
A security consultant at Siemens Enterprise Communications, Colin Greenless, used his social skills to not only enter a financial services firm that is listed on the Financial Times and Stock Exchange, but set up office. Being traded on an exchange, you know this wasn't a small company.
A man walking into a bank may be questioned. But a man carrying a clipboard may be able to just walk on through. He obviously has a purpose for being there. Greenless used his social skills to establish a temporary office in a meeting room on the third floor for several days. He had access to many more areas and floors of the building. He had access to store rooms, filing cabinets, confidential data left on desks, and he entered the company's data room, IT and telecoms network.
Greenless posed as an IT staffer. He noted that of 20 employees he called, 17 gave him their usernames and passwords which provided access to the closed network. How do you get in a locked door? You follow another employee while you have a coffee cup in each hand. Your "fellow employees" hold the doors open for you. By the time he was done, Greenless was even on a first name basis with one of the guards. At one point, Greenless even brought in another consultant who was able to do more analysis on the company's network.
You have to ask, what access does a person get to your facilities, and how? What verification procedures are in place to ensure that a person really belongs there? This should be a wake up call to some and a training scenario for others.
Comments:
Post a Comment
