A company has been hit by a mystery shopper attack where it was the victim of a ‘social engineering' exercise.
A
Siemens security consultant targeted a FTSE listed financial services
client company for a week to see what level of access to information he
could achieve using social engineering tactics.
Without
the aid of any special equipment, the consultant was able to enter the
company's office without being challenged by security staff, base
himself in a third floor meeting room where he worked for several days
and freely access different floors, store rooms (containing large
amounts of confidential information), filing cabinets and confidential
data left on desks.
He
was also able to access the company's data room, IT, and telecoms
network and use the internal telephone system to call employees,
claiming to be from the IT dept (backed up by the caller ID), and
request information. Of twenty users targeted, seventeen supplied their
usernames and passwords giving him easy access to confidential
electronic data.
He
also found that the CCTV domes fitted on the ceilings were not
operational, while befriending a number of employees at the target
company and was even on first name terms with the foyer security guard.
On
two separate occasions, he was able to escort a second Siemens
consultant into the building who was able to perform further analysis
of the company's IT network.
Colin
Greenlees, security and counter fraud consultant at Siemens Enterprise
Communications, claimed that tricking employees into providing access
to confidential data is a fast growing issue, and senior executives
should understand how easy this is.
Greenlees
said: “The scary thing is that it's all simple stuff. It's just
confidence, looking the part and basic trickery such as ‘tailgating'
people through swipe card operated doors or, if you're really
going for it, carrying two cups of coffee and waiting for people to
hold doors open for you.
“Social
engineering is principally concerned with manipulating people into
performing actions or divulging confidential information in order to
access electronic or physical data. Hi-tech protection systems are
completely ineffectual against such attacks, and most employees are
utterly unaware that they are being manipulated. Worryingly many staff
positively assisted with information being compromised.”