Not all attacks to your network come from the cyber world. Some attacks come physically and if employees aren’t vigilant or trained well, they could unknowingly allow a potential breach. I have worked within the IT sector for almost 4 years and started my career on a Helpdesk. My job often involved having go and visit client sites, be it for a general check up on the equipment, an outage or because a Support Ticket can’t be resolved remotely. In my time, I have only been stopped from entering a server room once.
Let me tell you a story which when I look back on it is rather worrying. When I first started my Helpdesk job, my role was to answer the phone and solve the simple issues and escalate the not so simple. Due to an issue with the uniform shipment, I didn’t have an official top to wear but as I was just on the Helpdesk, this didn’t matter too much, until I was sent to a client site. I was given some business cards so if I was challenged, I could show them where I was from and all should be good. I arrived on site in plain clothing without a name badge or formal identification and I walked up to reception saying I was from company X and was here to deal with a problem they were experiencing on their server. The receptionist, to my joy at the time, welcomed me and walked me to the server and unlocked the door, I replied with my thanks and that I would be a little while and if it was okay for me to let her know when I was done, she was happy to leave me be for the next hour. No-one came to see how I was getting on and no-one questioned my being there, not once was I asked for ID and no-one called my office to ensure I was meant to be there. For the next hour I was free to do what I wanted on the server.
When I look and think back to this situation I was only challenged once in my three years, a call was made back to my office and confirmation that I was meant to be there was made.
If I had have had malicious intent on my first trip, an hour in a server room would give me more than enough time to steal data, passwords or start exploiting the network. This company had also never seen me before so what would stop them letting me in again? A hacker would have had a field day where they in my shoes at that point. Perhaps I have an honest face, but that is really not enough in today’s world.
This was just the worst case I have been witness to, even when I was in my company branded polo shirt visiting clients for the first time they would welcome me in and unlock doors, sometimes even handing the key over to me and trusting me to return it, this is someone they have known for only minutes. But is a polo shirt and a printed business card really enough for you to show the keys to the kingdom?
Having a perfectly configured firewall, antivirus and strict computer usage policies are not enough if someone is able to physically get onto the network. Let’s face it, most businesses nowadays have some sort of external party working with them, whether that be in the facilitated offices or anything to do with the running of the company.
This is just one type of social engineering attack, the attacker would have to be confident to attempt it but I have witnessed many a time where if I were the attacker, I would have succeeded.
Security is all our responsibilities.