Wednesday, May 20, 2009

"Social engineering has become the confidence trick of the 21st century."

TSCM is an acronym for Technical Surveillance Countermeasures; inspecting for bugs, wiretaps, etc.. It is a standard tool used to protect an organization's information.

Thwarting human trickery (social engineering) is also defense tool. Good information security consultants take both into account when designing information protection programs.

The BBC recently reported...
Have you ever wondered whether that unfamiliar face in the office is actually an intruder about to steal your data? Probably not, but maybe it is time to think again.

At one FTSE-listed financial institution the managing director himself opened the door to a stranger who, within 20 minutes of gaining entry to the building, had found a highly sensitive document outlining a half a billion pound merger lying on a desk.

Luckily, on this occasion, the data was not used for nefarious purposes because the intruder was Colin Greenlees, a consultant of Siemens Enterprise Communications.

He was there at the request of the firm's IT director to test the resilience of the company to social engineering attacks.

In a similar experiment conducted at the BBC, Mr Greenlees targeted five BBC employees. Pretending to be an IT engineer - with the prior permission of BBC bosses - he managed to obtain all of their usernames and passwords with a simple phone call. (more)