Consider the following scenario. A good looking woman is wandering around your premises and approaches you asking to show her how to use some functions in Excel or any other application. Do you start quizzing her on who she is, from what department does she come from or do you invite her to your PC and show her what she needs to know? Let’s say you choose the latter and then she asks you for a drink, would you leave her unattended at your PC or do you get her to accompany you?

If you leave her at your PC, how long would it take for her to insert a USB device and install a Trojan horse, key logger, or any other application to steal information or gain access to the rest of your corporate network? By the time you return she may have installed all sorts of surveillance applications and have the ability to access classified information whenever she feels like it from her home computer. This is not such a far fetched scenario, especially in large organizations with no real physical security beyond the reception. According to this year’s CSI/FBI survey on Computer Crime and Security more than $30 million worth of damage was caused by insiders stealing proprietary information. FBI and other security analysts still maintain that the majority of threats originate from insiders or people with insider privileges.


Kevin Mitnick explained in his testimony to a senate panel on computer security: “When I would try to get into these systems, the first line of attack would be what I call a social engineering attack, which really means trying to manipulate somebody over the phone through deception. I was so successful in that line of attack that I rarely had to go towards a technical attack. The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption and secure access devices, and it's money wasted, because none of these measures address the weakest link in the security chain”

Even in more simplistic scenarios where a promotional CD is sent to a basic employee, for example a secretary or data entry clerk, would they think twice before running it on their PC? It may have a stealth application embedded that secretly installs itself onto that PC and may spread across the network enabling criminals access to your most sensitive information.