Colin Greenlees, a Consultant at Siemens Enterprise Communications, a joint venture (JV) between the private equity firm The Gores Group, a private equity firm, and Siemens AG, tests firm’s resilience to social engineering attacks. He gained access to a FTSE-listed financial institution where he found a highly sensitive document outlining a merger lying on a desk within 20 minutes of gaining access to the building – the door being held open by what turned out to be the managing director.
It appears old-fashioned conman activity can get hackers just as far, if perhaps not even further than trying to hack an institution’s computer security systems from the outside.
“It is all about confidence. I walked into the building [of the FTSE-listed firm] having an imaginary conversation on my mobile and the swipe-card operated lift was held open for me by what turned out to be the managing director”, Greenlees, who was acting at the request of the company’s IT director, told the BBC. “I remained there for five days working from a third floor meeting room.”
He even managed to bring a Siemens colleague with him into the building and they gained access to the internal network using usernames and passwords obtained over the five days.
The study 2008 Annual Study: Cost of a Data Breach from information security research organisation Ponemon Institute and sponsored by the encryption provider PGP Corporation, showed the total average cost of a data breach to be £60 per record in 2008. Lost business alone amounted to an average of £32 per record.
Easy access
Ken Munro at IT security specialist NCC Group told Infosecurity that using social engineering to enter a company is “very, very easy”.
NNC Group often uses social engineering as part of penetration tests, and Munro has found that “it is very, very easy to social engineer a company building. Our success rate is well over 95%. The biggest problem is that few people are naturally suspicious, and we all have an inbuilt desire to help.”
Holding security doors open for others, especially if that person is carrying boxes, cups of coffee, etc, is often well-meant, but they render the controls put in place by companies to avoid intruders useless.
A few simple steps
Munro gave some pointers as to how companies and employees can avoid unwittingly giving unauthorised people access to premises and/or sensitive information:
- “Never, ever allow unescorted visitors, even if they have appointments and seem genuine;
- “Verify their credentials – find the phone number of the company they work for (don’t ask the visitor for it!), and verify they are who they say they are, particularly if their reason for being there seems out of the ordinary;
- “Discourage tailgating – ID passes should be worn at all times, by all staff. Some of my clients run incentives for staff to challenge those not wearing ID badges; a stooge is sent round the office once per month, and anyone that challenges them receives a cash reward and mention in despatches. A cheap, simple way to get staff thinking about strangers in the office;
- “If you have swipe card access to security doors, consider having swipes both in and OUT of the doors – it makes the social engineers life that much harder. Also, consider securing doors to more sensitive areas in the office, such as server rooms, exec offices and IT areas”.
With more companies offering remote working, it becomes harder to recognise that unfamiliar face, but Munro said this is not really a problem if companies enforce a badge-policy:
“Remote working does make life harder to identify rogues in the office. However a similar problem has always existed for large companies with many employees. There’s no way everyone can know everybody. It comes back to good badge discipline; if they aren’t wearing a badge, challenge them. If they aren’t accompanied, challenge harder, ring security, and don’t listen to their excuses and reasons for being there, even if they quote the CEO’s name. We should know, we do it all the time!”