A security solution is only as good as the people who use it, as the following recent incident proves.
A UK penetration tester followed staff through an unlocked, unsecureddoor into the building after their smoking break. The tester - whoskirted past other employees by saying the IT department had sent him -made his way to a meeting room, where he hooked up his laptop to thecompany's VoIP network and, doubtless, congratulated himself on a jobwell done.
Is there a wider lesson to be drawn from this? Yes, and it's not to stoppeople going outside for a break.
The fact remains that if your management team doesn't know what's goingon, you can't enforce adequate security policy. That applies toinformation security just as much as physical security.
I'm sure the company have a perfectly good door entry system, it justwasn't used on that particular door. Likewise, I bet they have a goodfirewall and other IT perimeter security, too.
Geoff Webb, security product manager, FutureSoft.
