The morning commute from my suburban town of residence to London, where I presently work, and back is an opportunity to catch up on some reading and the news.
For an increasing number of commuters it is also an opportunity to plan the day's business, read and write emails or perform other business-related tasks.
I decided to see what information I could glean from over the shoulders of fellow travelers, mostly working on their laptop PCs, and whether or not this information could possibly pose a security threat to their organization.
I got off to a flying start. As I stood in the aisle, clasping my coffee, I was clearly able to see planning for that day's business meetings being organized by the employee of a well-known City law firm. The email contained his name, the names of the other people involved in the meeting and the names of the clients.
Moving through the carriage, my attention was drawn to a women reading through a pile of CVs. Peering from over the top of my Daily Mail, I could see the name and address of the job applicant. I couldn't deduce the company or position being applied for, but I could certainly see the applicant's current position and company.
Two blocks of seats away, another gentlemen uses the password "partytime" to log into his Windows session, then proceeds to work on a PowerPoint presentation, the subject being a forthcoming business proposition. This included projected expenditure, the total budget for the project and the hierarchy of the project team involved.
All of this information so far is a goldmine for a person intent on using 'socially engineered' information to attempt to break into a network or commit other data-related misdeeds.
As the train pulled into a station, a new stream of commuters boarded while others disembarked. While this was going on, a suited lady slept, her laptop case resting on the floor in the aisle by her seat.
The journey between the train and my client's office requires a walk through the City's main financial district. As I wander along near the Bank of England, I'm able to glance through an office window where I note the name card on a desk, and the operating system in use on the desktop PC together with the version of email client.
In an era where many organizations are investing money in state-of-the-art networks, intrusion detection solutions and other items to add to the security infrastructure, the weakest link remains the very people we employ. The most securely stored data may be compromised the minute the manager opens his laptop on the train to work on it.
Companies are failing in their security efforts because they are spending only on the tangible physical tools. A firewall can be listed on the asset register, it is something the IT director can show the board, along with a report on how many incidents it has detected and prevented spreading into the network. The money saved by having the firewall can therefore be calculated.
On the other hand, spending the money on professional IT security personnel is less easy to justify. There is a much less tangible means of calculating the benefit to the business of such a move, yet using such people may well prevent the very incidents described above and others, that can lead to untold damage to a business and its reputation.
So, what are the risks of your organization falling victim to crime as a result of a social engineering such as that shown above? Figures are hard to come by, but articles by infamous hacker, Kevin Mitnick (who served five years for his data-related crimes) suggest that information gleaned from over someone's shoulder or in a similar manner played a large part in helping him to get the information that he required to perform his activities.
The topic of social engineering has been much discussed; an Internet search on the topic will reveal a multitude of guides on both how to commit it and how to protect against it. The subject is most certainly relevant to your organization and your employees.
Making staff aware of the implications of, and accountable for their own actions is a major part of IT security. In the view of many professionals, it is just as important as installing a firewall or running anti-virus applications. An internal security awareness scheme, with related training, complements the security policy. It is an ideal means of informing users of their own responsibilities when it comes to maintaining the integrity of business information.
User awareness means, amongst other things, that managers do not display business confidential data during their morning commute and that laptop owners do not leave business property unattended and unsupervised on trains. For offices on public display, user awareness means not allowing passers the ability to view potentially confidential information on their desktops: pull down the blinds!
The information gained during my journey could be used in a variety of ways. The names of personnel may be used in attempts to 'engineer' information from a company. Internet searches through UseNet may reveal email addresses and other pertinent information about the tools that the business uses (for example, John Smith of XYZ plc may have asked for help within a newsgroup regarding configuring a firewall or router - it does happen).
Knowing the operating system that an organization works with can save the potential hacker time and allow him to deduce other information about the network. Similarly, if Outlook is seen as being the email client, it is a sure bet that MS Exchange is working as the server.
Most serious of all, business confidential information should not be on display in public train carriages at any time. It may well end up as the topic of conversation in the coffee room of your biggest rival.
Lastly, personnel issued with laptop computers have a responsibility to look after them. Over 30000 get stolen every year, many containing sensitive information potentially far outweighing the value of the hardware.
The corporate security policy is the place to state what a user's responsibilities are, and most organizations these days have some form of policy. My question to the staff of a recent client was "can you tell me where your security policy is?" The response was worrying but not unusual. Not only could no one tell me where the policy was, or what its contents were, few employees were actually aware that there was a policy.
The policy itself was comprehensive and thorough, but it did not cover use of laptops off-site, neither did it cover working procedures outside of the office. It cannot therefore be a surprise for an organization to find that their plans are being compromised on the 6.42 into King's Cross.
However, as few staff even knew there was a policy in existence, it is as good as being non-existent. The policy must be available and easy to access. For example, my present client has a link to the security policy from the home page of the intranet. A paper version of the policy should be given to staff as a part of their induction into an organization, together with a form for them to sign, stating that it has been read and understood.
We cannot stop people working in public places, but we can dictate that they use common sense and take reasonable measures to safeguard both their assigned equipment and company data.
The number of means of gaining business data and infiltrating networks grows daily, some would say hourly. Your business may have its access to the internal network covered but, as always, people are the weakest link. Take steps, invest in the right resources and protect your business.
Stuart King, CISSP, is a UK-based security consultant (www.semrauking.com).
