SURVEY - FT-IT REVIEW: Companies remain surprisingly
vulnerable: LOW-TECH SECURITY ISSUES by Mark Halper:
Whether it is intruders fast-talking the help desk for
passwords or crashing the swipe card gate, the low-tech
threat to IT systems is real for most businesses
Financial Times; Dec 5, 2001
By MARK HALPER
Scanit, a Belgian company, makes a living breaking into corporate
computing systems, and goes to extremes to get the job done. Earlier
this year it bribed a worker at a Polish electricity company to help it
gain access to the utility's IT systems.
Scanit is one of many computer security companies that offer
low-tech as well as high-tech services to help corporations assess
and shore up their IT vulnerabilities. Along with Computer Sciences,
IBM, Lucent Technologies and many others, it runs what are
euphemistically called "social engineering" and "physical penetration"
tests to find openings in a company's systems.
With the permission of clients' senior executives, Scanit uses
decidedly low-tech methods such as bribing, sweet-talking help desk
staffers into providing passwords, or sneaking into offices to help
prove how vulnerable the company's computer systems really are.
These methods are routinely used by real criminals.
Security companies in the sector report nearly perfect success rates.
They tell alarmingly similar stories of lazy security guards, gullible
help desk staffers, non-confrontational employees, and generally lax
physical and "mental" security that can negate the affect of millions of
pounds spent on high- technology computer firewalls and encryption.
"We reckon that 80 per cent of security is the soft part - the low-tech
side," says Amir Belkhelladi, who heads the security practice in the
UK and Ireland for Lucent's services division. "Social engineering is a
very powerful technique. The most vulnerable part of a company is
the human factor."
Or as Graham Cluley of UK-based Sophos Anti-Virus puts it, social
engineers have many ways of "exploiting the bugs in peoples'
brains".
In Scanit's Polish case, the electricity company suspected that
members of staff were susceptible to bribes. Posing as competitors,
Scanit offered payment to eight different individuals, whom it tracked
down in bars and gyms. Seven refused, but one accepted Dollars
100 for providing information that enabled Scanit to work its way in.
"He even offered to open it up to us completely for more money,"
recalls David Michaux, Scanit chief executive.
Many of the low-tech ploys that computer security businesses
practice have a similar ring to them - one common ruse involves
sneaking past security guards and receptionists as the first step in
finding an available, internal, networked computer.
Slipping through lobbies and waiting areas hardly seems a challenge.
Computer security companies draw from a cliche bag of
cloak-and-dagger tricks that include fake ID badges and posing as
visiting businessmen or system engineers.
To prove the point that receptionists and security guards often do not
scrutinise photo ID badges, Bill Pepper, Computer Sciences' UK
security consultant, once entered a building with a snapshot of a dog
on his ID card.
Paul Williams, a security specialist with Cornwell Affiliates, a
UK-based IT consulting company, says one technique guaranteed to
work is to roll in with revellers returning from an office party. Geoff
Davies, managing director of I-Sec, a UK IT security company, says
fire drills can serve the same purpose. An IBM security professional
dresses up as a repairman.
Scanit's Mr Michaux even dispatches attractive young women who
announce with a hint of scandal that they have an appointment with a
top executive. Mr Michaux insists that security guards typically wave
the woman through rather than raising potentially embarrassing
alarms.
Sneaking into an office building does not guarantee that the prowler
will find his way into the computer network. But it is a good start. Mr
Michaux claims a 100 per cent success rate at getting into a network
when deploying low-tech means, which his company has done about
20 times in the last year.
Once his attractive young women find their way to the executive suite
after hours, he claims it is easy for the invaders to plug a laptop
computer into the corporate network, and for Scanit to then watch
network activity from a remote link to the laptop.
One recurring yarn involves arranging a meeting at company offices
and then sneaking onto the host's network-connected laptop when
he fetches coffee. Security experts also insist it is easy to gain
unauthorised access to personal computers at lunchtime because, as
CSC's Mr Pepper notes, many employees "don't tend to ask
questions".
Some of the most effective examples of low-tech computer security
breaches do not entail physical entry. Rather, they originate remotely
through pure trickery. Lucent recently sent e-mails offering
employees of a European bank a chance to win a Dollars 1m lottery
prize by clicking through to a bogus, Lucent-run website.
According to Mr Belkhelladi, the respondents included network and
systems administrators, and Lucent was able to ride their web
connections back into the bank's systems. "We got in on a Trojan
horse. We had full access to their customer data," recalls Mr
Belkhelladi.
Likewise, Mr Pepper points out that hackers' lives are made easier
because "people still choose to use stupid passwords".
Social engineering comes with cultural subtleties. Mr Michaux, a
multilingual speaker, says that it is easier to keep Belgian IT
help-desk staffers talking by speaking to them in English, rather than
in their native language of French or Dutch, because "they like to
show off their English skills".
By rambling on, they are more likely to reveal important information.
The reverse does not hold true, though, in the UK, where native
English speakers are not interested in showing off foreign language
skills, Mr Michaux says.
Whether it is fast-talking the help desk or crashing the swipe card
gate, the low-tech threat to IT systems is real. "People think that
because they have a firewall and cryptography, they're secure. But
that's bunk," says Cornwell's Mr Williams. One way to interpret that is
that a company might just as effectively upgrade its IT security by
spending considerably less on a low-tech project than it would spend
adding yet another layer of high-tech security.
Copyright: The Financial Times Limited 1995-1998
globalarchive.ft.com
steve |
