Security is always an issue with IT – ever more so these days with the explosion of connectivity, mobile devices and so on. Organisations often test their IT security by arranging with a specialist company to carry out an external “penetration test”. Effectively, that’s asking a friend to see if they can get past the organisation’s security controls by exploiting any weaknesses. If they can, then they let the organisation know and it can then plug the weaknesses.
In the past, these specialist companies have focussed on the technological defences. Increasingly, however, they are looking at the softer weak points – i.e. people. One company I spoke with carries out tests on datacentre security – they might be asked to see if they can gain physical access to an organisation’s datacentre. For obvious reasons I won’t tell you how they might try to do this, but it’s designed to test how good the access and security protocols in practice. On one occasion they did indeed manage to get into the datacentre – except it was the wrong one!
The other growing area is what they call a “social engineering” penetration test. To put it unkindly, this is to test how gullible the employees in an organisation are. You have probably all at some point seen an e-mail in your inbox offering you the chance to inherit somebody’s fortune if you can only help by supplying your bank account details. Or an e-mail from your bank telling you that there is a problem with your account and asking you to give them your password or PIN number so that they can check.
These e-mails are getting more and more sophisticated, and they steal branding and corporate images to make them look completely genuine at first glance. I have seen e-mails claiming to be from the RGU IT Help desk asking users to hand over their password so that their account can be reactivated, and these e-mails can look very convincing. Sometimes they ask for information, and sometimes they just try to coax you to click on a link for further information. That link, of course, will install some nasty software on your computer and from then on they can do anything – maybe steal confidential information (including any passwords you type in) or hijack your computer to get it to send out thousands of other e-mails to other people.
Have a look at the Wikipedia entry for more background.
I learned of one organisation recently where somebody thought one of these e-mails were genuine, clicked on the link, and before long their organisation had suffered a major security breach. These e-mails are therefore a real threat to security in any organisation, and not just a minor nuisance.
– No legitimate organisation (internal or external) will EVER ask you to e-mail to them any confidential information, whether that’s a password, PIN number, date of birth or whatever.
– If you receive an e-mail that you were not expecting, and if it has a link to another web site, don’t click. Be very careful of unusual e-mails from people you know – especially if it’s little more than a link to some web site and a subject line saying “check this out”. It probably means their e-mail has been hacked and is being used to send out SPAM.
So, what’s a “social engineering” penetration test? That’s when we agree with an external company that they can send into the organisation lots of “phishing” style e-mails and then see how many people get tricked into responding. That’s not to catch people out, but to help educate and test the level of awareness across the organisation. I might just look at that . . .