![]() "The whole thing can cost $7," he says, which goes to show how useless physical credentials like business cards are today. Wood says he creates convincing costumes by purchasing a fluorescent jacket and work boots and downloading iron-on logos from the Internet. Posing as a visitor Another way of infiltrating a corporation is by posing as a legitimate visitor, such as a telephone or electrical maintenance person, a burglar-alarm inspector, or someone from the fire department checking smoke detectors. "It would make so much more difficult that it would be a major accomplishment," says Wood. Even by applying encryption and password controls to just the accounts of IT administrators and senior staff members, companies could solve 70 percent of the problem, he says. Often, the password is the same as the account name."įinally, classify information in terms of how valuable it is and store it accordingly, says Wood. "We see trivial, stupid passwords in every firm we visit. "Most networks are poorly protected," Wood says. You need to have standards for what is and isn't appropriate and then reinforce that with a mind-set of challenging people who don't adhere to those parameters."Ī second line of defense is to use protective tools such as screensavers with password controls, and to encrypt data and require strong passwords for employees with liberal access rights, such as IT administrators and C-level executives. "Most people seem to assume if you're in the building, you must be OK, and that's a presumption that criminals rely on. "Most organizations don't even remotely invest in staff awareness," Winkler says. How to stop them: Employee awareness goes a long way. "I tried to avoid seeing anything sensitive, but I had to pretend I was doing something." So-and-So's computer?" "There I was, sitting at the CEO's desk at a Fortune 50 company," he says. ![]() However, as he was leaving the executive suite, an assistant asked him, "Why didn't you update Mr. Winkler says he was once hired to expose a company's security vulnerabilities but was asked to avoid accessing the CEO's system. In other cases, spies have posed as cleaning staffers, gaining after-hours access. The tactic involves either looking for vacated offices or blatantly asking employees to leave their desks so that the spy can, say, update the anti-virus software. Posing as an employee Spies often pretend to be IT support personnel because it enables them to look legitimate while sitting at users' PCs. No one wants a vigilante culture, "but if you see someone acting unusually, you should make note of what that person is doing," Winkler says. Companies also need to set clear procedures for reporting suspicious people. How to stop them: According to Winkler, you can't just establish policies you must also enforce the rules that prohibit security guards, receptionists, and other workers from letting people into the building if they can't prove that they're employees. "It's just a matter of having the right attitude and being confident," he says. If someone enters the room, Wood says he apologizes for the "double-booking" and moves on. In that scenario, a convincing ploy is for spies to work in pairs, with one posing as a consultant and the other as an employee, says Wood, who has used that tactic. Or they can just walk into an empty meeting room, plug in a laptop and pull data off the network. They can pose as IT support personnel, photocopying papers they find on unattended desks or at printers. ![]() Once they're inside, spies have lots of ways to access sensitive information. And Long claims to have walked right through delivery or loading dock doors. To blend in, the spy might hold a cup of coffee or a sandwich, dress in a suit minus the jacket or even wear a counterfeit badge.Īntismoking regulations have also made it simple to sneak into buildings through the back door, where smokers tend to huddle, Wood adds. "In 90 percent of the companies I've worked with, it's so simple to get in, it's pathetic," Winkler says. Tailgating One of the most disturbingly successful ways for outsiders to infiltrate an organization is also the least high-tech: following an authorized employee through the front door. Here are several of the most common ploys and the countermeasures you can put into place to spot - and possibly even stop - the work of a spy. They might steal information for blackmail purposes, but "the most common motive for physical intrusion is industrial espionage," he says. Spies are interested in anything from financial data to intellectual property and customer data. Any company can be a target, says Peter Wood, chief of operations at First Base Technologies, a U.K.-based consultancy that performs ethical hacking services.
0 Comments
Leave a Reply. |