A security consultant managed to talk his way into a FTSE listed financial services firm and access company data in a social engineering exercise.
Colin Greenless, a security consultant at Siemens Enterprise Communications, targeted a client company for a week in a special investigation to see what information he could achieve using social engineering tactics.
Without the use of any special equipment, Greenless was able to enter the company's office without being challenged by security staff. Greenless then based himself in a third floor meeting room, where he worked for several days.
The consultant also freely accessed different floors, store rooms, filing cabinets and confidential data left on desks, and entered the company's data room, IT and telecoms network
Posing as an IT worker, Greenless used the internal telephone system to call staff and request information. During the exercise, 17 out of 20 users gave away their usernames and passwords, giving Greenless easy access to electronic data.
"The scary thing is, it's all simple stuff. It's just confidence, looking the part and basic trickery such as 'tailgating' people through swipe card operated doors or, if you're really going for it, carrying two cups of coffee and waiting for people to hold doors open for you," said Greenless.
During his week at the financial firm, Greenless befriended a number of employees and was even on first name terms with the foyer security guard.
Greenless even brought a second Siemens consultant into the building, who was aple to perform further analysis of the company's IT network.
Social engineering, or confidence tricks, is the art of manipulationg people into divulging information, or performing actions that would give the fraudster access to data.
"Hi-tech protection systems are completely ineffectual against such attacks, and most employees are utterly unaware that they are being manipulated," said Greenless.
A Siemens Enterprise Communications White Paper, written by Greenless, details the findings of the exercise, and also provides recommendations for executives.