John Verry, principal enterprise consultant of Pivot Point Security, and his “Tiger Team” attempted to access data possessed by the government and several Fortune 500 companies. Their methods included entering physical structures as well as using the Internet.
This research allowed Verry to suggest precautions to reduce information security risks. He found it possible to enter secure facilities without authorization in the following ways:
“Smokers are the friendliest people,” Verry said. By smoking (or pretending to smoke) outside the door of a building and striking up a conversation with other smokers, it is easy to gain access. “[The smokers] will hold the door open for you.”
Another easy way to enter secured buildings is through loading docks.
Government officials want their water, so just carry a large amount of Deer Park water bottles, he said. Or better yet, hang around the loading dock while the actual Deer Park delivery person delivers the water.
Verry pointed out that the person delivering the water probably just wants to get his or her job done. As such, he or she will not be paying attention to anyone lurking in the loading dock.
Getting data online is also quite simple.
First, gather information on someone from using a site such as Pipl.com, he said. Then, call the person and pretend to be from the payroll department at his or her workplace. Next, accuse the person of logging onto the payroll department’s online information site without proper authorization.
When the person says he or she did not, ask them to verify their e-mail address (which can easily be found online).
“After the individual confirms, say, ‘And your password is 123, right?’ The individual will say, ‘No, it’s XYZ,’” Verry explained.
He told the audience that many security lapses are due to people not realizing the gravity of the situation in which they find themselves.
“People act stupidly,” he said. “They give out passwords when accused or reset passwords without verifying who is trying to gain access. They let smokers and delivery people in without checking identification.”
Eliminating stupid mistakes would reduce cyber information risks. But as Verry pointed out, “You can’t fix stupid. You can only try to make people more aware.”
Verry spoke as part of the second International Conference on Cyber Security, which was co-sponsored by Fordham and the FBI.