You already knew that your customers’ employees are often a huge security liability. But if you needed any more proof, this week’s Stop and Shop scandal might help to convince you.
In a nutshell, thieves stole account and personal identification numbers from customers’ credit and debit cards at stores in Rhode Island and Massachusetts by tampering with checkout-lane keypads. At some point, these data thieves must have accessed the keypads by entering the building and physically tampering with them, then reinstalling. How could this have happened?
One NetworkWorld story may have the answer (if not to this particular breach, then possibly to others). A penetration tester from NTA Monitor Inc. got into a company’s building by waiting until a group of smokers finished their smoke break, then slipping in behind the last employee. He managed to get upstairs by saying that IT had sent him, and successfully attached his computer to the company’s VoIP network. Scary, I know.
If your customer is relying on employees to sound the intruder alarm — or if there are unsecured entry points into their buildings — all of the firewalls, IDS, VPNs, and monitoring devices you’ve implemented may not help. You CAN make sure you’ve given your customer a fighting chance, however, by checking out the brand new Penetration Testing Project Guide on SearchSecurityChannel.com.
As G.I. Joe used to say, “Knowing is half the battle.” Do your own penetration testing, and then educate, educate, educate your customer. You’ll be their greatest asset.