The bank had hired Maynor to do a "Penetration Test" to see if their security was up to scratch. This included both computer testing (are the Bank's computers vulnerable to outside attack) as well as testing security procedures ("Social Engineering").No one asked for Maynor’s auditor credentials -- they merely assumed he was a federal auditor and let him enter the office. “We saw the panic in their eyes when Dave walked into the bank, because of the banking crisis. They panicked, so we could have asked for anything,” says Robert Graham, CEO of Errata.
“There’s a huge danger of anyone walking into a bank now and saying ‘I’m with the FDIC,’ and then [the employees] panic and won’t check credentials,” Graham says.
It was the Social Engineering "attack" that surprised everyone. Maybe it shouldn't have been a surprise, what with the market down 20% this week, but that's why you do a test like this.
Oh, and Dave Maynor and Robert Graham are both "White Hat" security guys. This was a straight up test.
Penetration testers who work with bank clients say the fragile state of the banking community is making it easier for them to dupe understandably anxious bank employees. Bank employees are overly eager or easily coerced into cooperating with “auditors,” or into clicking on links purportedly from the bank about its own financial welfare.This is probably easier to fix than people downloading unwanted software at work. After all, they want to download the software. Hard to see how management can "fix" that easily. Here, the people just want to not get fired. Seems like a "Hey, if you check whether someone who claims to be an auditor actually is an auditor, we'll make you employee of the month" would do the trick.
Just sayin'.
No comments:
Post a Comment