Password guessing
Today, access to information is almost always controlled by a password. Users, even technical experts and senior staff, frequently use incredibly easy-to-guess words, such as `password,' `holiday,' or even their own name. The use of trivial passwords to secure `service accounts' � highly privileged accounts used by backup programs, network control software and anti-virus tools � is so common that gaining control of an entire network frequently takes take no more than a few minutes.

Plug in a Windows laptop anywhere on the corporate network - this can be in head office, at a branch office or store, anywhere in any trusted third-party premises or perhaps through a dial-up connection. Browse the network using Windows Explorer and you will see all the Windows machines on the network � there is no need to logon or join a domain for this to happen.

Select a server (they are usually named in a obvious fashion) and attempt a `null session' connection. The null session is a standard feature of Windows which enables you to list users, groups, group memberships, etc. without any form of authentication whatsoever. Naturally there is plenty of free software on the Internet which will help you to establish a null session and then interrogate this information.
Now list the users in the Administrators and Domain Admins groups and look for patterns, or rather exceptions to a pattern. Typically, organisations use obvious naming conventions for user accounts, but these are usually ignored where service accounts are concerned. Service accounts are administrator-level accounts used to enable applications to log on to servers and domains - applications such as Backupexec, Arcserve, Tivoli are obvious examples.

Select each of these service accounts in turn and try to guess its password - it's not as hard as you might think. Frequently, network administrators will select something obvious, such as a password the same as the account name! Beware that you don't exceed the account lockout threshold, otherwise even the most harassed admin will guess something is up. If these fail, try those accounts which look like shared administrator accounts or scripted accounts, such as Administrator, Install, AutoInstall or similar. At least fifty percent of the time you will gain Domain Admin access, allowing you create your own administrator account, join the domain legitimately and help yourself to any information on any server.

Impersonation
Social engineering by impersonation is very common. For example, an attacker will call the help desk pretending to be an employee, claim to have forgotten their password and ask the help desk to reset it or give it to them. The help desk will frequently do this without verifying the identity of the caller. Our testing shows that this is a very common scenario � successful at most organisations in all business sectors.
Another technique involves visiting the premises in person. As a bogus employee, visitor or cleaner, it is simple to look for information lying on desks, overhear conversations, plug in a keylogger or even just use a vacant desk & PC. In one case, I was able to gain access through the building's back door, walk around every floor without challenge, read personnel information and customer contracts in unlocked cabinets, steal the contents of post trays and obtain a staff list containing names, job titles, e-mail addresses and phone numbers.

The office cleaner wanders around the IT department emptying bins into a black plastic sack. He bends below each desk to look for stray sandwich wrappers and plastic cups. Whilst he's under the desk, it is a matter of seconds for him to attach a hardware keylogger between keyboard and system unit. These small keyloggers are effectively invisible on the back of the computer, and record every keystroke the IT folk make for the next week. They will capture usernames and passwords, as well as every e-mail and browser entry. Often this will include credit card information from Internet shopping, home address details, bank account details � in fact whatever the individual typed into the computer during that week.

Of course there are plenty of similar opportunities throughout the organisation � the CEO's secretary's PC for instance, or the finance director's. Most organisations are vulnerable to this type of attack and will never know that it has taken place. The truth is that virtually no-one conducts proper staff vetting, and they certainly don't check the cleaner's credentials!

Industrial espionage and organised crime are a real threat, but most surveys show that the more significant risk is from inside the organisation. An employee can often see far more corporate information on the head office network than anyone realises. If hacking were to be defined as "attempting to gain unauthorised access to sensitive information", then most organisations have several hackers on their staff. Disgruntled employees (and ex- employees) present a very serious threat to business through access to critical data and personal information. Suppose an employee, with just a little Internet research, discovers how to read everyone's e- mails or even send mails as if they were the CEO �

Removing and studying the contents of bins marked "For Shredding" or "For Recycling" proves very interesting too, as a source for passwords, network diagrams and personnel information. Shoulder surfing - looking over someone's shoulder to see door entry codes, their password, information on their screen or what they are writing - is also extremely successful. Sometimes the simplest techniques are the most successful and often do not involve any technology at all.

Another successful technique involves using one of the oldest and slowest method of communication � the postal service (snail mail). It is easy and inexpensive to set up a PO box, providing an ideal way to hide and fake a business. Of course snail mail has no content security so there are no technical controls to bypass! People are more likely to respond to a survey they receive in the post, since it appears much more legitimate when printed on paper. If a stamped, addressed envelope included, then there is little effort or cost on their part. Of course, you offer cash or other prizes for completed and returned surveys.

Trojans and Keyloggers
Mail attachments and web links remain very popular amongst criminals, enticing users to click to gain access to something appealing or illicit whilst silently installing Trojan software on their computer. Once installed, this software can capture every keystroke and mouse click, and even take screen shots, then quietly mail everything to the attacker somewhere else in the organisation or even in another country.

Staff using laptops away from the office are a particular threat, since the opportunities for them to be infected with Trojan software, keyloggers and other malware are much greater than within the corporate environment. Where staff are permitted to use a home wireless network to access the Internet or head office networks, attackers may target an individual at home and use the unsecured wireless connection to sniff traffic or plant malicious software.

Despite the publicity over Phishing attacks, people are still vulnerable to spoof e-mails and web sites. In one recent project, we crafted an e-mail with a link to a web page purporting to be a survey on information security hosted by our customer. We used graphics and links from the genuine corporate web site on our own server to ensure the pages looked realistic. Using simple web forms, we harvested user names and passwords, as well as valuable information about the organisation's security procedures and mailed the results to our own e-mail server. No-one noticed that the site was unencrypted, nor that it was hosted on an unrecognised IP address with no DNS name. Until a senior member of staff challenged the e-mail and instructed staff to ignore it, we were receiving mails containing names and passwords from innocent users.

Normal web browsing can also help steal identities. For example, a specially crafted pop-up window on an otherwise innocent web site can reap rich rewards. Staff using the corporate network to browse a web site will often respond to a pop-up box saying "Your connection to the network has been lost � please re-enter your username and password". They continue using their network and the Internet none the wiser, whilst their credentials have been harvested by the website.

Laptops
When members of staff are travelling, unattended laptops can easily be infected without any obvious evidence of intrusion, or data may be stolen and later used to compromise the office network. This can undermine even the best VPN security by simple impersonation. Even when two-factor authentication is used (for example SecurID tokens), access still depends on good staff education. It is not uncommon for an individual to keep their token and their PIN with their laptop, thus undermining a secure system and providing a back door for attackers. Since the type of traffic permitted through a VPN connection is seldom restricted, the attacker can use any tool they wish to compromise the corporate network without even visiting the target office.

The password problem
There's a common thread here of course � the password. Passwords are a hassle for users, with multiple passwords always needing changing. They are highly vulnerable and you can never know if passwords have been stolen until it's too late. Gartner says that 65 percent of all helpdesk calls relate to password problems and that each call costs at least �25. And of course they're a dream for your enemies - whether internal or external, techie or not - passwords are easy to steal by shoulder surfing, social engineering, simple guesswork or by snooping, sniffing, hacking & cracking.

The solutions
Management must understand that all of the money they spend on software patches, security hardware, and audits will be a waste without modifying staff behaviour and their susceptibility to social engineering. So what countermeasures can we implement?

Firstly, policies - one of the advantages of policies is that they remove the responsibility of employees to make judgement calls regarding an attacker's requests. If the requested action is prohibited by policy, the employee has no choice but to deny the attacker's request.

You need to ensure that everyone shreds unwanted phone lists, email lists and other important documents. Some documents will obviously need to be locked away, so you must provide employees with sufficient lockable storage space to enable this. In the end, best practice is to have a clear desk policy which is enforceable and workable.

All staff must use screen savers with password controls and be instructed to lock their PC every time they leave their desk � opportunist access to unattended PCs is very common. Any sensitive information stored on desktops, laptops and PDAs must be encrypted. Smartphones and PDAs should have infrared and Bluetooth disabled by default and the organisation must have a policy restricting their use or the sensitivity of information stored on them.
Wireless LANs must be properly configured and tightly secured, whether in the office or at an employee's home. Sensible guidelines must be issued to all staff regarding the risks of using wireless hotspots and Internet cafes. The organisation must ensure that all remote access is secured using VPNs and that no sensitive traffic, including e-mail, is transmitted anywhere in the clear.

A process and policy should exist to ensure that all hard disks, CDs and other media are physically destroyed rather than recycled or simply thrown away. A recent survey of 100 hard disks purchased on eBay and at car boot sales showed around 40 percent had sensitive data easily recoverable and a further 40 percent had not even been formatted.
Implement strong authentication for all remote users and for all privileged users and accounts. There are many two-factor alternatives to the traditional password, including SecurID, Smart Cards, smart USB keys and even mobile phone SMS texts.

Institute thorough end-user training on secure communications, including what can be discussed over the telephone, what can be discussed outside the building and what can be written in an e-mail. Try not to use e-mail notification or voicemails when away from the office - it sets up the replacement as a target. And most importantly, ensure everyone knows how to report an incident and to whom � most people do not.

Strengthen your helpdesk password reset process. Permit password resets only with call-back and PIN authentication or some other form of cross-verification. Implement incident reporting and response procedures for all help desk staff, together with clear escalation procedures for everyone in the incident chain. Help desk staff should be encouraged to withhold support when a call does not feel right. In other words "just say no �.."

As a politician might say: "Training, training, training." Train all employees - everyone has a role in protecting the organisation and their own jobs. If someone tries to threaten them or confuse them, it should raise a red flag. Train new employees as they start. Give extra security training to security guards, help desk staff, receptionists and telephone operators, all of whom have a vital role to play in blocking identity theft. Make sure you keep the training up to date and relevant.
Address the issue of easy-to-guess passwords. This is the single biggest hole in most organisations' IT security defence. If your organisation is using a Windows network (and most are) and if you have upgraded to Windows 2000, XP or Server 2003, then you can use passphrases rather than passwords. A passphrase of 15 characters or more is easier to remember than a complex 8-character password, yet infinitely more secure. Compare "I would love to own a big red Ferrari" (29 characters and almost unbreakable) with "nUaY6zOs" (8 characters and impossible to memorise, yet easily broken with today's password crackers!).

Finally, have a security assessment test performed and heed the recommendations. Test the company's ability to protect its environment, its ability to detect the attack and its ability to react and repel the attack. Have the first test performed when the company is expecting it, then do a blind test the second time around.
Step-by-step checklist for securing authentication in your firm

Desktop Security

    * Shred old phone lists, email lists and other important documents you no longer need
    * Some documents will need to be locked away � make sure everyone has a lockable drawer or cabinet
    * Basic best practice is to have a clear desk policy

IT Security

    * Use screen savers with password controls and short timeouts
    * Encourage the use of passphrases rather than passwords
    * Encourage the use of password management software to overcome the problem of written passwords
    * Encrypt sensitive information on desktops, laptops and PDAs
    * Secure mobiles and PDAs - switch off infrared, wireless and Bluetooth when not in use.
    * Secure wireless LANs � use the latest security measures and implement VPNs over wireless
    * Physically destroy unused hard disks, CDs and other media

User Guidance

    * Say what can and cannot be discussed over the telephone
    * Say what can and cannot be discussed outside the building
    * Say what can and cannot be written in an e-mail
    * Don't use e-mail notification or voicemails when away from the office. It sets up the replacement as a target.
    * Ensure everyone knows how to report an incident and to whom

Help Desk

    * Permit password resets only with call-back and PIN or cherished information authentication
    * Ensure there are clear incident reporting and response procedures
    * And clear escalation procedures
    * Help desk staff should be encouraged to withhold support when a call does not feel right. In other words "just say no �.."

Training, training, training

    * Train all employees - everyone has a role in protecting the organisation and their own jobs
    * If someone tries to threaten them or confuse them, it should raise a red flag
    * Train new employees as they start
    * Give extra security training to security guards, help desk staff, receptionists, telephone operators
    * Keep the training up to date and relevant

Compliance

    * Have a security assessment test performed and heed the recommendations
    * Test the company's ability to protect its environment, its ability to detect the attack and its ability to react and repel the attack
    * Have the first test performed when the company is expecting it
    * Do a blind test the second time around