Peter Cochrane's Blog: So you think you've got security nailed down?

Why security is literally an open-and-shut case...

... - a skip of unwanted IT equipment. Old PCs, laptops, a printer or two, and an old copier. Rather than try and shift these off site, I took an item at a time to a quiet corner and removed memory cards and hard drives and slipped them into a large buff envelope. All very official looking.

I left the site just as I had entered, returned to my office and began the forensic investigation. I also planned my next sortie with a different set of objectives in mind.

A few days later I was back but this time with a very large travel bag. My target? Waste bins and waste sacks. The on-site cleaning staff had done a great job for me and I removed two full sacks of paper waste without being detected.

A week later I walked in through the front gates, bypassed reception and made my way to the employee restaurant. Here I had lunch: a starter, main course, pudding and coffee at different tables and within earshot of various groups engaged in conversation. Some of their exchanges were more work-related than others, but all were interesting and revealing to some degree.

My final sortie involved walking around some of the organisation's open-plan offices, picking up what I could by observation and by asking people direct questions. But perhaps most interesting was just travelling on the local train at peak times and looking out for people wearing blue security badges. Sitting near them was all I had to do. They did all the talking.

So my month-long study was completed in three weeks and I was able to start a detailed analysis of what I had gleaned. Those recovered hard drives and memory cards were full of confidential information, including high-level reports and commercially sensitive materials. And that pile of waste paper? It's amazing what people print and then casually throw away.

Needless to say I was now in possession of account details, passwords, project names and references, and team details including individual responsibilities. The list of revelations seemed endless and was growing longer as I digitally probed the company using an established identity and various external communications channels.

Like all projects of this kind, there comes a point where you have done enough. You have sufficient material to make your point, and more revelations may muddy the case rather than strengthen it. So I stopped and prepared my report.

Presenting my findings was not at all easy but at least no single group could be fingered as being solely to blame. Just about everyone in the organisation was implicated, and everyone was at fault to a greater or lesser degree. The other really good news was that I hadn't been engaged by the IT or security departments.

So what was the substance of my wake-up call? All I did was highlight how much money and staffing had been concentrated on firewalls, email, document-control systems, and unnecessary and ineffective efforts to control people's use of technology and applications. While all that was going on, the back door had, quite literally, been left open.