Consultant accesses company's data room in social engineering 'attack'

Powered by SC Magazine
 

A company has been hit by a mystery shopper attack where it was the victim of a 'social engineering' exercise.

A Siemens security consultant targeted a FTSE-listed financial services client company for a week to see what level of access to information he could achieve using social engineering tactics.

 

Without the aid of any special equipment, the consultant was able to enter the company's office without being challenged by security staff, base himself in a third floor meeting room where he worked for several days and freely access different floors, store rooms (containing large amounts of confidential information), filing cabinets and confidential data left on desks.

 

He was also able to access the company's data room, IT, and telecoms network and use the internal telephone system to call employees, claiming to be from the IT department (backed up by the caller ID), and request information. Of twenty users targeted, seventeen supplied their usernames and passwords, giving him easy access to confidential electronic data.

 

He also found that the CCTV domes fitted on the ceilings were not operational, while befriending a number of employees at the target company and was even on first name terms with the foyer security guard.

 

On two separate occasions, he was able to escort a second Siemens consultant into the building who was able to perform further analysis of the company's IT network.

 

Colin Greenlees, security and counter fraud consultant at Siemens Enterprise Communications, claimed that tricking employees into providing access to confidential data is a fast-growing issue, and senior executives should understand how easy this is.

 

Greenlees said: “The scary thing is that it's all simple stuff. It's just confidence, looking the part and basic trickery such as ‘tailgating' people through swipe card operated doors or, if you're really going for it, carrying two cups of coffee and waiting for people to hold doors open for you.

 

“Social engineering is principally concerned with manipulating people into performing actions or divulging confidential information in order to access electronic or physical data. Hi-tech protection systems are completely ineffectual against such attacks, and most employees are utterly unaware that they are being manipulated. Worryingly, many staff positively assisted with information being compromised.”

See original article on scmagazineuk.com

Copyright © SC Magazine, US edition


Consultant accesses company's data room in social engineering 'attack'
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  3%
 
A Federal Government agency (ATO, Centrelink etc)
  19%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1891

Vote
Do you support the abolition of the Office of the Information Commissioner?