CBS recently interviewed a security expert at IBM, and she promised them a surprise when she joined them for an interview. When she arrived, she handed them each a piece of paper with their account passwords inside.
Stephanie Carruthers is not a developer, and she didn’t find their passwords online, either. She’s a social engineering expert. She’s very good at seeming friendly and innocuous. She’s the type of person that your employees might be tempted to hold the door for even though they don’t know who she is. And her hands often are full, because that’s part of her social engineering attack.
Once she’s inside, she might pretend to be a vendor or IT expert. She’ll scan desks for post-it notes full of information that she can use to trick the next employee she sees into thinking she is a new hire in need of help.
Companies pay a lot of money for her to do this work. The reason her work is valuable is that these physical security breakdowns are the source of many network attacks, and companies need help discovering their process flaws. Large companies are getting better and better at closing these cracks to keep their networks (and finances) protected.
As larger companies patch these holes, criminals are moving downstream to mid-size businesses. After all, even a mid-size business can have millions of dollars in the bank.
Physical security goes far beyond a door access system and an alarm system. Every employee that could provide physical access or sensitive information to someone they didn’t know is a layer of your physical security. Every post-it note and every unlocked computer is a potential hole waiting to be exploited. Your security policies, and the people who put those policies into action each day, have a major impact on your network security.
As companies spend more to close security holes on their PC networks, social engineers will look to exploit other targets. Ask these questions to determine if you might be vulnerable to social engineering attacks:
- Do your employees know every employee that works in your building?
- Do they know policies on letting vendors in the building?
- Would your most friendly employee hold the door for someone they didn’t know if their hands were full and they didn’t look suspicious?
- Do your employees lock their computers whenever they get up, to prevent snooping eyes?
- Is any sensitive information posted on signs or post-it notes around the office?
- Are sensitive parts of the building kept under watch or lock at all times?
If any of these questions make you uncomfortable, it might be time to revisit your physical security plan. Stephanie is employed by IBM, doesn’t commit any crimes, and never uses the information she collects to harm companies. Unfortunately, most social engineers aren’t like her.
To learn how WingSwept can help you keep your network secure, call us at 919-779-0954 or email us at Team_WingSwept@WingSwept.com.