The Old Spy Game
NACStech attendees hear about low-tech data theft
Published in CSP Daily News
DALLAS -- Hackers and "the bad people" don't have to steal a chain's data, said security consultant Ira Winkler. They just have to ask for it. Winkler, who addressed a crowd of several hundred at the annual NACStech conference this week, said often times, data thieves posing as tech support can easily manipulate helpful employees into giving passwords, employee phone numbers and department codes.
As president of Internet Security Advisors Group, Annapolis, Md., he told of how he was able to compromise a major investment bank and a nuclear facility by gaining false entry [image-nocss] and reading sticky posted notes on people's computers. "There's a science to getting people to betray their country," Winkler said.
He was one of several general session and panel speakers to address attendees during the three-day annual conference and trade show. Topics focused on technology trends in the convenience store industry, ranging from compliance to Payment Card Industry (PCI) standards to business-intelligence software.
During his session, Winkler detailed a few tactics data thieves can use to infiltrate a corporation's systems:
"Shoulder surfing," or looking over people's shoulders as they type codes into personal identification number (PIN) pads. Steal equipment or hardware. This could be the theft of physical computers, the internal hardware or CDs. "Dumpster diving" or simply going behind an office to rummage through the garbage. He said in his work he's found employee compensation information, memos about a sexual harassment lawsuit and other sensitive documentation. Get a job within the company. Becoming a janitor at a corporation often leads to access. Put out a want ad. Winkler told of a company that would put an ad for a new position into the paper and interview people from a competitor's staff. The normal course of questioning would reveal important strategic information on upcoming projects. "Extremely humbling" was how Ed Freels, CIO for WILCOHESS LLC, Winston-Salem, N.C., described how he felt when his company conducted an internal test for data security on an operational level. Freels, who introduced Winkler to the general-session attendees this past Tuesday, advised retailers be aware that the data thieves don't just operate online, but use human interaction and "decades-old" technology to achieve their goals.
In conclusion, Winkler gave NACStech attendees a few thoughts on how to protect their companies against low-tech intrusion:
Initiate training to communicate and empower employees to use "common knowledge." While a retailer can assume employees would protect passwords and other sensitive information, often they have to be trained on how to avoid being tricked into giving such data out. Develop processes so that important account information and employee numbers are not used on a regular basis. Implement call-back procedures that train employees to verify the identity of callers looking for sensitive information. Perform a controlled "data attack" against your own company, but consider all angles so "nothing goes wrong." Employ technologies that can aid in consistency of execution, such as authorization technologies that continuously change passwords. Winkler is the author of Corporate Espionage, which describes the challenges of doing business in the digital age. He is the co-author of a new bestseller, Through the Eyes of the Enemy, which details the intelligence aspect of the cold war and the emergence of the Russian mafia as a national security threat. He has also written more than 70 articles and white papers on corporate security issues.