In the digital age, one tends to consider the notion of attack and penetration of corporate systems or data in a purely online sense. However, there is much more to it and miscreants can gain access to information using a variety of techniques – some of which are as breathtakingly simple as they are effective.
That is according to Yvette du Toit, manager of the Attack and Penetration competency in Ernst & Young’s Technology & Security Risk Services division. And she should know, because in the process of conducting attack and penetration assessments, du Toit has conducted many of these techniques in the field.
“Simple tactics such as bypassing security guards and access control through social engineering can be far easier for the perpetrator to execute than trying to breach information systems. Once in the building, it is possible to pick up sensitive data from a workgroup printer, sit down at a desk and perhaps use an unlocked computer, rifle through drawers, or accidentally knock over the trash can outside the office of a key employee,” says du Toit.
Surreptitious snaps of network diagrams or calls to the contact centre to wheedle out user names and passwords are among the tools of the trade which can be used as physical interventions to augment digital attacks.
These tactics require very little sophistication, du Toit observes, yet can be used to net all kinds of sensitive information which can be used in one of the increasingly prevalent crimes related to the compromise of personal information: identity theft.
“Of the breaches which we see in the field, identity theft is probably one of the most common. Details which people tend to be quite careless with can be used by criminals for a range of illegal activities – such as opening accounts, making purchases and ordering goods – which can cause all manner of inconvenience and loss to either the individual or the company,” says du Toit.
Field testing, she says, is conducted to gauge these weaknesses. The only rule which the tester must follow is that they can do no harm. “Many company directors get quite a scare when they discover just how easily an individual can bypass guards, access controls and the suspicions of other employees. In many cases, it is a simple matter of taking advantage of people’s natural willingness to help; by manipulating the situation to obtain all manner of sensitive information.”
While there are no specific items of legislation or regulations which address attack and penetration per se, du Toit points out that prevention of such incidents are somewhat universal across industries and sectors. “The fact that the information which can be accessed can be used for such a wide variety of purposes – from personal identity theft, to a fraud involving the company – makes mitigating these sorts of risks relevant to everyone,” she notes.
Companies tend to have the IT aspects of security well under control, given the prevalence of computers in business; with this essential aspect in place she says the focus needs to shift to include the risk of physical breaches. “The common perception that if the perimeter [network] is secure, then the business is secure, is giving way to recognition of the fact that an internal focus is just as important. This internal focus is broader than the computers, too. It includes examining the processes and people for any shortcomings and increasingly dealing with third parties.
For more information contact Fathima Naidoo, Ernst & Young South Africa, +27 (0)11 772 3151, [email protected], www.ey.com/za
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version