If you leave her at your PC, how long would it take for her to insert a USB device and install a Trojan horse, key logger, or any other application to steal information or gain access to the rest of your corporate network? By the time you return she may have installed all sorts of surveillance applications and have the ability to access classified information whenever she feels like it from her home computer. This is not such a far fetched scenario, especially in large organizations with no real physical security beyond the reception. According to this year’s CSI/FBI survey on Computer Crime and Security more than $30 million worth of damage was caused by insiders stealing proprietary information. FBI and other security analysts still maintain that the majority of threats originate from insiders or people with insider privileges.
Kevin Mitnick explained in his testimony to a senate panel on computer security: “When I would try to get into these systems, the first line of attack would be what I call a social engineering attack, which really means trying to manipulate somebody over the phone through deception. I was so successful in that line of attack that I rarely had to go towards a technical attack. The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption and secure access devices, and it's money wasted, because none of these measures address the weakest link in the security chain”
Even in more simplistic scenarios where a promotional CD is sent to a basic employee, for example a secretary or data entry clerk, would they think twice before running it on their PC? It may have a stealth application embedded that secretly installs itself onto that PC and may spread across the network enabling criminals access to your most sensitive information.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.