Meet the man who’s hiding in your office, reading your files
- Reduce text size Decrease text size
- Increase text size Increase text size
- Print article Print
- Jump to comments Comment
- Share this article Share
- Email article to a friend Email
Businesses spend billions of pounds on sophisticated intrusion detection and prevention technologies every year to protect their information. And yet according to Colin Greenlees, all it takes to gain access to the invaluable data located around their headquarters, or stored in their data centre, is two cups of coffee. Or maybe a cigarette.
And Greenlees should know; he’s done it. Part of his job as a security consultant for Siemens Enterprise Communications involves auditing clients' existing security precautions, or to put it another way, seeing what he can get away with.
In the case of one client, a high profile financial services firm, Greenlees was able to con his way into the building and set up a makeshift office in a third floor conference room. He worked there for several days acquiring all manner of sensitive information. All this happened without confrontation; indeed Greenlees managed to befriend many of the company’s employees, and even secure access for another colleague.
The so-called ‘social engineering’ techniques that Greenlees uses to gain entry to corporate offices – and that he says are often used by more malicious intruders – can be beguilingly simple. Approach a security door carrying two cups of coffee and many people will hold it open for you; join the smokers at the back of the office holding a piece of paper and wearing no jacket, and they’ll probably let you come in with them.
Once he is through the door, the pickings are easy. “Getting through the door is the hard part,” he explains. In the case of the finance firm, he adds, the most staggering thing was the sheer amount of information he could get his hands on.
Greenlees argues that employees need to be more mindful of strangers walking around the office. This doesn’t mean any unfamiliar face must immediately be accosted. “If there is somebody you don’t recognise, ask ‘Can I help you?’,” he says. “There are plenty of ways to identify an intruder without confrontation.”
Other tips include installing turnstyles at the entrance to a building, as they are harder to sneak through without a pass.
It is hard to gauge how much of a threat light-fingered ‘social engineers’ really represent. As Greenlees himself acknowledges, “it’s very hard to report against; the best social engineers get away undetected.”
But while social engineering has always been a problem, Greenlees argues, the current recession will only increase the number of people who are willing to take a punt at walking into an office and walking out with potentially lucrative information.
As has been often said, employees remain and always will be the weakest link for network administrators. Without proper training and education, they are often too eager to help a ‘colleague’ in need thinking they are doing the right thing. As a result, social engineers have exploited this opportunity and refined tactics to identify the easy targets and manipulate situations to gain the access they require.
But the solution isn’t as easy and singular as ramping up security on the office entrance. For starters, social engineering can easily occur via email and so emails filters are essential, which will stop phishing attempts. But from an education standpoint, employees must be provided with clear instructions that passwords and usernames cannot be divulged to third parties and that the IT manager must be consulted in any such situation – even if the person concerned claims to be from IT support or even the board of directors!
Lastly, there is an onus on the network administrators to implement the principle of least privilege, thereby restricting access so that only the functions and permissions necessary to perform the job role are given to each employee. This will mean that even if unauthorised access is gained, the intruder will not have limitless ability to roam the network and the effects of penetration are curtailed.
David Vella
Report this comment »Director of Product Management
GFI Software
www.gfi.com