This is just one of the schemes Stickley and his merry band will use. Its all very reminiscent of "Oceans Eleven" and requires the attacker to be a great liar and cool under pressure. And such attackers always carry an authorization document from someone in authority in case they arouse suspicion, which Stickley insists is not very often. When it happens its because someone was assiduous at following procedure, a trait that often goes unappreciated or even ridiculed in normal circumstances. If you were in charge, would you assign one of your people to follow the exterminator around?Stickley also engages in the more common remote forms of social engineering of the Kevin Mitnick variety. If you got a call from the development group at headquarters and they asked you, for test purposes, to sign in to the new development Web site at dev-facelessnational.com, would you? You might, and then theyd have your log-in credentials. (Its in cases like this that two-factor authentication is useful, but its still not universal.) Stickley also will e-mail e-greeting cards to users that attempt to use Windows vulnerabilities to install malware that gives him a backdoor to the system. Do you want to worry about threats like Stickley every day while youre trying to get your job done? No, and neither do I. But unfortunately human failings are at the heart of most security breaches. In the end, the moral is that it can happen to you. Dont be complacent because youre in a big company that has security policies and even a budget for it. Dont think that because youre in a small company that you can fly under the radar. The Internet has made it too easy to attack anyone, and even small banks have money in them. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer
Its also worth mentioning that large financial institutions like banks usually have internal security groups that do audits to cover situations like this, but I dont think they often get as creative as Trace Security.