I wrote recently about a bill pending in the Massachusetts legislature relating to data breaches in the payment chain, but I wanted to share some of an interview that didn’t make it into the final piece.
I met John Flory recently at BankWorld, one of The Warren Group’s trade shows. One of the things his company, TAG Solutions, does is ethical hacking. In other words, companies (chiefly financial institutions) hire him and his team to essentially “break in” – and then tell them where the weaknesses are.
“As far as your vulnerabilities and your danger, it hasn’t changed in 10 years,” Flory told me. “Your biggest risk is your people … They don’t know what to do or they want to be nice.”
One technique Flory’s team uses: Somebody will call up the receptionist and say they have a bad phone line and can’t hear well. Half an hour later, another member of his team will show up posing as the phone company and say, “We need to get in and reset your server.”
“Seven times out of 10, the receptionist will let us in,” Flory said. “Social engineering is one of the most effective ways to hack a network.”
This goes back to a recurring theme that seems to crop up whenever I write about security issues: You have to build it into your culture if you want it to work.
It’s interesting (at least to me) to think that for all the phishing, vishing, and smishing (all real terms – Google it) going on out there, that sometimes the easiest way for a thief to get in is sometimes through the front door.