Recently I attended a presentation by Kevin Mitnick, a well-known computer hacker turned security expert. His live demonstration showed both the ease and effectiveness of current hacking techniques. It was unnerving to witness the relatively simple, yet extremely dangerous techniques for stealing sensitive data. It gave me a greater appreciation for our information security team and the difficulties they face on a daily basis. They understand that one error or lapse in attentiveness — no matter how seemingly minor — can be the downfall of the entire company.
I believe we are all aware on some level of the dangers of not protecting our personal and corporate data. It took seeing first-hand the actual threats in action to truly bring the impact of security breaches home for me.
Imagine leaving your highly secure financial services headquarters for lunch and bumping into a passerby as they are entering your building. The person politely says "pardon me" and continues on their way. What you don't know is that during this brief interaction the well dressed suit scanned the information on your corporate ID badge via a hidden device. They are now able to enter your facility as an employee using your credentials.
In another scenario a customer chats with the clerk at a retail store as they are checking out. While carrying on an engaging conversation the customer plugs a USB drive into the cash register. The USB device automatically loads software on the store's computer register that captures passwords, monitors for credit card numbers and makes the entire contents of the computer accessible to a remote computer. The friendly customer has now compromised the entire store network undetected and with minimal effort.
Do these situations sound like a Hollywood spy movie? Perhaps, but they are very real scenarios with dangerous ramifications.
Additionally, there is the threat represented by peer-to-peer file sharing networks. Although this was widely reported in security publications over a year ago, I've yet to speak with anyone outside of information security aware of the potential risk of these networks. In this case an employee installs file sharing software, like LimeWire, Kazaa, or BitTorrent, on their computer to access free music. Once installed, the software shares the entire contents of the user's hard disk, not just a limited set of music files. Once the files are shared, anyone on the peer-to-peer network who searches for the right file name can download the user's files. Considering that many people store passwords and important files on their computers, the seemingly harmless search for free music now becomes a security nightmare.
Just how easy is it to access files in a P2P file sharing situation? Have you ever written to your credit card company to explain an error on your account and request a correction? Your name, account number, date of birth or other confidential information is likely included in that letter. Microsoft Word uses the first sentence of your letter as a filename — for example, Dear Citibank. During his presentation Mr. Mitnick ran a live search for the phrase “Dear Citibank” that revealed hundreds of files with very complete, sensitive consumer information. Everything needed to compromise the account. It's just that easy.
The final example I'd like to share is related to WikiLeaks. As reported elsewhere, many of the documents that WikiLeaks claims were submitted to them anonymously were actually acquired through P2P file sharing networks. The individuals who disclosed confidential State Department or military information were in fact doing nothing more than downloading music to listen to while at work. Some of the information released, such as family addresses for military personnel in Afghanistan, represent grave security threats. Leaks from financial institutions may be more difficult to identify, but there is little doubt that at least one employee in at least one bank has chosen to look for some free music on company time.
Many organizations with strong security policies likely have employees who inadvertently share files over peer-to-peer networks, which completely bypass their security infrastructure when the user installs it. Perhaps the most startling aspect of all of these security attacks is that antivirus and anti-malware software is completely ineffective. It is only through attentive and cautious behaviors that users and consumers can protect themselves from these attacks.
I don't have a clear answer for how to solve this problem, but I certainly have a much greater understanding when the IT security team tells me that my USB device must be disabled and I cannot have privileges to install software on my work computer.
Eric Lindeen is the marketing director for Zoot Enterprises.