If you leave her at your PC, how long would it take for her to insert a USB device and install a Trojan horse, key logger, or any other application to steal information or gain access to the rest of your corporate network? By the time you return she may have installed all sorts of surveillance applications and have the ability to access classified information whenever she feels like it from her home computer. This is not such a far fetched scenario, especially in large organizations with no real physical security beyond the reception. According to this year’s CSI/FBI survey on Computer Crime and Security more than $30 million worth of damage was caused by insiders stealing proprietary information. FBI and other security analysts still maintain that the majority of threats originate from insiders or people with insider privileges.
Kevin Mitnick explained in his testimony to a senate panel on computer security: “When I would try to get into these systems, the first line of attack would be what I call a social engineering attack, which really means trying to manipulate somebody over the phone through deception. I was so successful in that line of attack that I rarely had to go towards a technical attack. The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption and secure access devices, and it's money wasted, because none of these measures address the weakest link in the security chain”
Even in more simplistic scenarios where a promotional CD is sent to a basic employee, for example a secretary or data entry clerk, would they think twice before running it on their PC? It may have a stealth application embedded that secretly installs itself onto that PC and may spread across the network enabling criminals access to your most sensitive information.
The above is a real example of an event that actually took place in Israel and was reported by the BBC of a Trojan horse that was planted into a number of organizations by competitive companies and by parent companies. In some cases an e-mail was sent to a secretary asking her to click on a few items that basically released the application and installed it onto her machine. Once installed it ran in the background for over a year before being detected. In another company a CD was sent to an employee with the same Trojan embedded in it and without a second thought the employee’s curiosity caused him to run the CD and see what he had received. Of course without his knowledge the Trojan had installed itself onto his PC, gradually found its way around the network and transmitted data regularly to its target.
These are just a couple of examples where company networks have been easily infiltrated from within or by insiders and suffered major financial damage which in extreme cases have been difficult to recover from.