If someone comes to your office dressed in a utility-provider uniform, would you automatically let them in?
In a recent incident reported in U.S. News, an office secretary unknowingly gave some of her law firm’s most private data to a person who appeared to be a legitimate IT professional. The visitor had bought a Comcast Cable polo shirt off eBay and had arrived dressed in khakis with a tool belt. He told the secretary he was there to audit the firm’s cable modem specifications and take pictures of the install for quality assurance.
The secretary had no reason to suspect the visitor was part of a now-extinct hacker ring. The infiltrators would gain access to a business’s private network by sending a disguised person into the office who would note the configuration details and passwords for the firm’s firewalls and cable modems. In some cases, they would actually build a secure VPN private backdoor they later used to steal data.
How to protect against such surreptitious entry and theft? As they say in the South, be “gracefully suspicious.”
Ask for identification. Inquire to whom the visitor has recently spoken regarding the services they are to perform. And be sure to adhere to any company policies restricting how visitors are allowed in the building, if such policies exist. If those kinds of policies don’t yet exist, make sure to work deliberately to define them.
We can help, if needed — but this is a real problem your office needs to address.
Alan Edwards, CISM, is chief information officer at Computerware, Inc., in Vienna, Virginia.