Halloween Scary Security Stories 2008
This week I was part of Network World's second annual real-life scary security stories podcast, a panel hosted by Keith Shaw that told the tales of some frightful security happenings over the past year. There were some amazing examples of breaches of data, corporate espionage and simple access and authentication mis-steps, of which I added a few anecdotes from actual conversations I've had over the past year. [to protect the innocent, actual names were not used]
So here's a run-down of FIVE scary security stories that made me shiver:
1. During a security audit, one company set up a team to see where the vulnerabilities of its organization existed. The undercover team posed as outsourced IT staff in one instance, and asked an employee to offer up her strong password so that he could access the computer to change its fluid... change its fluid!... and sure enough, the employee not only coughed up her password (required to be strong), but noted the strong password was due to their company's strict security policy.
2. Convenience shouldn't be written on the wall... literally. I came across one example of a hospital where they were considering re-painting a room and the doctors were in an uproar about it. Turns out, most of the doctors travelled to different hospitals and had written their application passwords on the wall behind the computer for easy recall and sharing with colleagues. Each doctor had a 'reserved' area where they would scribble their logon information specific to that hospital. I've seen a lot of passwords written on sticky notes, behind monitors, but right on a wall!? This was a first, and I later found out it was done at multiple hospitals in the area.
3. In some instances, vulnerabilities are based simply on the basic human nature of trust. One time I was due to meet with a company, and it was raining buckets outside, so as my team waited outside a member of the cleaning crew kindly let us into the facility and pointed out the room we were supposed to meet in. No need to sign in or be escorted - even though there were plenty of signs about security and proper disposal for documents in locked bins. Then left us alone in the conference room complete with network access to setup our equipment and wait for the meeting with the CISO The cleaning crew like most people trusted that people were good (a positive thought, in general, however) and helped us bypass a necessary physical security hurdle.
4. In some instances, thieves can get downright brazen. In one instance I recently heard, someone walked into a company on a Friday afternoon with an overall with PC Repair written on it, and walked off with 50 computers. He told the staff they were getting new computers on Monday and had to remove the old computers. Since it was Friday afternoon, not only was he not challenged by anyone, but someone actually helped him get the stuff out. When I heard this one, I was shocked how easy it is for thieves to get by physical security by using a credible story.
5. I also learned recently about a company that had an employee who was stealing computers by wrapping up laptops in papers and padding, and tossing them into trash cans in the office, then going outside when the trash was taken out to recover them outside of the facility, after the unknowing cleaning people had completed their work. Interesting approach to circumventing the physical security infrastructure, but it goes to show you how creative, yet simple, tactics can be to get around security.
What I took away from these recent conversations and stories is that the human element plays a major role in ensuring overall security. And, that training and education must be a security priority for all types of employees in an organization. Often, the social engineering of threats - online and offline - feeds off the inherent trust that people have in one another, so whether a breach, scam or vulnerability is sophisticated or simple, we all need greater awareness of our environments and follow security best practices even if it may feel a bit awkward.
So with Halloween upon us, what are your scary security stories? [please don't use real names!]