May 8, 2009
Have you ever walked round your office and not recognised half the people there? Ever thought 'I've worked here for 15 years but I've never seen that bloke in accounts before'?
Well, you might not be going mad, there could be something more sinister afoot.
The professional services arm of Siemens Enterprise Communications recently ran a 'social engineering' exercise at a top City firm.
Social engineering tactics can give criminals access to sensitive data through a mixture of confidence tricks and basic employee deception. Techniques as simple as carrying two cups of coffee and waiting for people to hold office doors open can result in high level access to organisations.
Here's the hustle: A Siemens security consultant targeted the client company for a week to see what level of access to information he could achieve using said tactics. Without the aid of any special equipment, the man was able to:
Well, you might not be going mad, there could be something more sinister afoot.
The professional services arm of Siemens Enterprise Communications recently ran a 'social engineering' exercise at a top City firm.
Social engineering tactics can give criminals access to sensitive data through a mixture of confidence tricks and basic employee deception. Techniques as simple as carrying two cups of coffee and waiting for people to hold office doors open can result in high level access to organisations.
Here's the hustle: A Siemens security consultant targeted the client company for a week to see what level of access to information he could achieve using said tactics. Without the aid of any special equipment, the man was able to:
- Enter the company's office without being challenged by security staff
- Base himself in a third floor meeting room, where he worked for several days
- Freely access different floors, store rooms (containing large amounts of confidential information), filing cabinets and confidential data left on desks
- Access the company's data room, IT, and telecoms network
- Use the internal telephone system to call employees, claiming to be from the IT dept (backed up by the caller ID), and request information. Of 20 users targeted, 17 supplied their usernames and passwords giving him easy access to confidential electronic data
- Establish that CCTV domes fitted on the ceilings were non operational.
During the week of the FTSE exercise, the Siemens consultant befriended a number of employees at the target company and - hilariously - was even on first name terms with the foyer security guard. On two separate occasions, he was even able to escort a second Siemens consultant into the building who was able to perform further analysis of the company's IT network.
No word from the 'target' company, but Guru guesses that the security guard is currently being "retrained".
So if you do see an unfamiliar face around your office, the safest option is to whack them over the head with a hole punch, lock them in the store cupboard and call the police.
Guru's Tweets