Imagine that you are charged with implementing and testing security policies at your organization. You know that most security breaches exploit employees who are lax in following security policies, and so you hire an outside agency to test if policies are being followed by employees. The agency uses the following tests.
Piggybacking: An operative wearing a suit and tie, and carrying a briefcase, stands at the front entrance to a corporation. He waits for an employee to unlock the door with his ID scan and follows him in.
Shoulder Surfing: An operative notices employees standing outside a door smoking on their break. He walks over and mills about looking over his shoulder as employees type the keypad code to reenter the building. With that information he lets himself in.
Computer Technician: Two operatives walk in to an office wearing “Computer Doctors” jumpsuits. They tell the administrative assistant that they have an order to fix the system. The assistant tells says that “Mr. Smith did not tell me about this, and he’s on vacation and can’t be reached.” They reply that “We’re booked for the next two weeks. The system is overheating and could melt down at any moment. It has all of the customer information on it. If it burns up because we were not allowed to work on it, somebody’s going to get into a lot of trouble. Are you sure that you didn’t forget the order?” The assistant nervously lets them in.
Bribery: An operative posing as a representative of another company approaches an employee outside of work and offers him $50,000 to get some memos concerning the company’s plans for a new product.
Are all of these forms of penetration testing ethically permissible? What do you think?
Last Week’s Question:
Until recently, Norwich University owned what other college in Vermont?
The answer is: Vermont College in Montpelier
The winner is Autumn Crossett. Congratulations Autumn!
This week’s Question:
Vermont has four seasons; summer, foliage, winter, and _________.
The winner receives two tickets and round trip airfare to the Information Assurance Hall of Fame, housed at an undisclosed underground bunker in the Appalachian Mountains.
Send your guesses to: jorlando@norwich.edu
All forms of penetration testing are permissible, the nastier the better. If we are serious about probing for security weaknesses then we need to allow the pen-testing team to perform without imposing restrictions on their work.
ReplyDeleteThe methods mentioned are acceptable, however, at some point, particularly with the bribery approach, there needs to be some transparency about the dupe. The percentage of employees willing to take a bribe is probably quite small, whereas, the electronic 'break and enter' is much more plausible.
ReplyDeleteRecall the movie, "Sneakers". Upon returning to collect his check after staging a break-in, Redford's character admits it's not much of a living. Is that a good business today?