This week’s post is courtesy of Simon Dawson, Foresite Security Analyst
Not all attacks to your network come from the cyber world. Some attacks come physically, and if employees aren’t vigilant or trained well, they could unknowingly allow a potential breach. I have worked within the IT sector for almost 4 years and started my career on a help desk. My job often involved having to go to client sites, be it for a general check-up on the equipment, an outage, or because a support ticket could not be resolved remotely. In my time, I have only been stopped from entering a server room once.
Let me tell you a story which when I look back on it is rather worrisome. When I first started my help desk job, my role was to answer the phone and solve the simple issues and escalate the not so simple. Due to an issue with the uniform shipment, I didn’t have an official top to wear, but as I was just on the help desk, this didn’t matter too much… until I was sent to a client site. I was given some business cards so if I was challenged, I could show them where I was from and all should be good.
I arrived on-site in plain clothing without a name badge or formal identification and I walked up to reception saying I was from company X and was here to deal with a problem they were experiencing on their server. The receptionist (to my joy at the time) welcomed me and walked me to the server and unlocked the door. I thanked her, let her know that I would be a little while, and asked if it was okay for me to let her know when I was done. She was happy to leave me be for the next hour. No one came to see how I was getting on or questioned my being there – not once was I asked for ID and no one called my office to ensure I was meant to be there. For the next hour I was free to do what I wanted on the server.
I was only challenged once in my three years in this role, when a call was made back to my office to confirm that I was meant to be there.
If I had malicious intent, an hour in a server room would give me more than enough time to steal data, passwords, or start exploiting the network. This company had also never seen me before – so what would stop them from letting me in again? A hacker would have had a field day in my shoes. Perhaps I have an honest face, but that is really not enough in today’s world.
This was just the worst case. When I was in my company-branded polo shirt visiting clients for the first time, they would welcome me in and unlock doors, sometimes even handing the key over to me and trusting me to return it, someone they have known for only minutes. But is a polo shirt and a printed business card really enough for you to share the keys to the kingdom?
Having a perfectly configured firewall, antivirus and strict computer usage policies are not enough if someone is able to physically get onto the network. Let’s face it, most businesses nowadays have some sort of external party working with them, whether that be in the facilitated offices or anything to do with the running of the company.
This is just one type of social engineering attack. Yes, the attacker would have to be confident to attempt it, but I have witnessed many a time where if I were the attacker, I would have succeeded. How would you stack up against our security assessment?
Security is all of our responsibilities.