Friday, May 29, 2009

Protecting your own organization's data = the emperor has no clothes

It's interesting that the White House is advocating new measures to tighten the nations digital security http://news.yahoo.com/s/ap/20090529/ap_on_go_pr_wh/us_obama_cyber_struggles

Fact is most of information in corporate America most often walks in and out the door. I did an audit one time of my organization that was very revealing. I challenged a PI firm to attempt to penetrate our premises and to gain as much strategic information as possible. They walked right in, spent a lot of time "mingling" and hanging out in a allegedly very security-conscious workplace environment at P&G. They took, photographed whatever they wanted. They fielded market research. They asked directions, created their own ID cards, attended meetings and presentations. They listened in on conversations of employees on-site and off (public locations like restaurants). Now given the ease of access to the physical premises, they invited in a world-class hacker to sit in a conference room and ping the system. Our best-in-class outsourced IT security service took 20 hours to figure this out. After a couple of hours he was close to getting through the fire wall. Finally I took the video footage from this exercise and played it back with voice over commentary to the entire organization. Shook them up a bit for a short while. Probably timely to do it again.

No comments:

Post a Comment