By Will Sturgeon, 16 February 2006 09:45
NEWS
An experiment carried out within London's square mile has revealed that employees in some of the City's best known financial services companies don't care about basic security policy.
CDs were handed out to commuters as they entered the City by employees of IT skills specialist The Training Camp and recipients were told the disks contained a special Valentine's Day promotion.
However, the CDs contained nothing more than code which informed The Training Camp how many of the recipients had tried to open the CD. Among those who were duped were employees of a major retail bank and two global insurers.
The CD packaging even contained a clear warning about installing third-party software and acting in breach of company acceptable-use policies - but that didn't deter many individuals who showed little regard for the security of their PC and their company.
Rob Chapman, CEO of the Training Camp, who carried out the stunt to promote a course in security for non-IT professionals, said: "Fortunately these CDs contained nothing harmful. No personal or corporate data was transmitted due to the actions of these individuals but the fact remains that this could have been someone wanting to cause havoc in the City."
Chapman claimed the "potential outcome could have been disastrous".
Effectively the employees, by carrying the CD into the company and putting it straight into their PC, had by-passed much of their company's security. Chapman said: "Employees have to recognise they are the first and easiest route into a company's network."
Just last year Japanese bank Sumitomo Mitsui in the City fell victim to a spyware infection which almost ended with the theft of £220m. That case should have highlighted the threat posed by applications entering the enterprise through unofficial channels and yet it appears few companies have taken note.
Comments
There are 14 comments. Join the discussion
1. anonymous
If no corporate details were gathered during this stunt, then how were the companies identified by the training camp?
2. Mark Nicholas
It's interesting to say that 'Employees Don't Care about Security'. You know what, I think you're wrong. I think they do care, they're just not used to the continuous stream of social engineering techniques being launched at them in all manner of ways. The key here is 'Education'. Regularly keeping all employees abreast of the latest scam is the duty of the company, it's officers and corporate security team. How they do it is another matter, but to say employees don't care is simply overlooking those who need to take more responsibility on their (employees) behalf by being one step ahead where possible.
3. Merlin
Excuse me, but it's not the responsibility of any company to teach people how to breath, how to walk, or how to chew their food. Likewise, it's not your employer's responsibility to teach you common sense.
Would these office workers hand over their wallets or car keys to a complete stranger that asked them for it as part of a 'special promotion'?
If they would, then their employer needs to send them packing immediately, as these people are a gigantic liability, completely clueless, and guaranteed to ultimately cause problems for the business.
If they wouldn't hand over their keys, yet they happily plopped the CD into their computers, then they most certainly *have* demonstrated that they gave no consideration at all to using their company's computers in a manner that most certainly is not part of their jobs. They too should be handed their walking papers - as they've likely breached the provisions of any number of corporate regulatory laws, thus opening the door to very real legal action against the company, in addition to compromising their company's reputation.
4. fatman
Users generally don't care about security because they don't understand it and moreover, because the data being protected is not personal to them.
Ask 100 people in the street for their credit/debit card number and PIN number and 99 people will tell you to get lost. It's personal - the risks are obvious - they could lose cash from their bank account.
Therefore, the challenge is to raise the issue of security within the business so that they feel personally responsible for it within their area of the business.
Doing this includes, having a corporate security policy and enforcing it, firing employees who continually flout established policies, offering rewards to those who report suspected or actual breaches of policy, making an example of individuals who flout policies etc. Security policy and responsibility for security should be included in every employees contract of employment.
Kind of a 'carrot and stick' approach overall.
5. Mark Nicholas
Dear Merlin. You've obviously missed the point. Social Engineering is all about circumnavigating common sense to use tactics to obtain information. Of course people aren't going to hand over keys etc because they have personal ownership over them and they also appreciate the consequences or impact. Now, lets consider 'fatmans' comments that the data doesn't belong to them. You therefore need to educate them, because if the business isn't responsible, who is? Are you going to leave it to every individual employee to use their common sense?? No chance, that's what anti virus etc is for, to remove the doubt, that's the business being proactive. Which is what information security primarily is, 'Proactive Risk Management'. You assume too much of an employee. They want to do their role without worrying about this stuff and where they do they need education, then as a final slap, to use the Corporate Policy on them, because if you're into disciplinary, you've failed already as they must have already committed a breach.
6. Mark Nicholas
Dear Merlin. You've obviously missed the point. Social Engineering is all about circumnavigating common sense to use tactics to obtain information. Of course people aren't going to hand over keys etc because they have personal ownership over them and they also appreciate the consequences or impact. Now, lets consider 'fatmans' comments that the data doesn't belong to them. You therefore need to educate them, because if the business isn't responsible, who is? Are you going to leave it to every individual employee to use their common sense?? No chance, that's what anti virus etc is for, to remove the doubt, that's the business being proactive. Which is what information security primarily is, 'Proactive Risk Management'. You assume too much of an employee. They want to do their role without worrying about this stuff and where they do they need education, then as a final slap, to use the Corporate Policy on them, because if you're into disciplinary, you've failed already as they must have already committed a breach.
7. Scott Hollingsworth
They don't understand.
If you ask those same employees to hand over the keys to the office or sensitive information directly, most would tell you to take a hike.
They don't understand how easy it can be for their computer to be leveraged to obtain the information.
Oh, and as far as identifying the companies the duped employees worked for, ip addresses can be as good as street addresses for finding companies.
8. anonymous
The companies were probably identified by the IP addresses. A simple who is search would reveal the larger companies who own ranges of IP’s.
9. anonymous
That is why you should lock down "user" computers using group policy... (assuming they are in an active directory)
10. anonymous
I'm sure they logged the IP address from their central server, which can be traced back to a particular company generally.
11. Tom Schultz
A wild guess would be: By the IP-address of the computer contacting the server.
12. IT Guy
I used to work support for my organization's equipment, software, and network. Our staff was told at regular intervals not to open attachments on questionable emails. They were told several times a year not to surf the web recreationally. They were repeatedly not to install or run programs from the internet or that they had brought from the outside. They understood that these were related to security issues.
Many of them did some or all of these things. In speaking to them, there was the general sentiment of "it won't happen to me" or of "nobody would want to hack this place." Much like the person who drives unsafely thinking "I'll never get in an accident" or the person who leaves their doors unlocked figuring "nobody would want to rob me"...they're just careless...and naive. Education doesn't do the whole job...but tough consequences seem to help.
13. anonymous
This proves nothing.
14. Jan D
Wow. Scary but understandable.