TO: Jane Doe, Director Area Office
FROM: Daniel Krupka, Division Manager Support Services
DATE: November 13, 2011
SUBJECT: Unauthorized Access to Confidential Files
It is believed this company is the victim of a deliberate attack from an outside source, with the sole purpose of obtaining access to Confidential Files. On November 11, 2011, a breach of the company’s security measures was detected, and several Confidential Files accessed. An immediate investigation was launched to determine how access was gained.
How Access Was Gained
It has been determined a combination of Social Engineering, and Malware was used to bypass the company’s security measures. Through the use of dumpster diving, the perpetrator managed to locate files containing client invoices. Posing as a company client, the perpetrator placed a call to the receptionist of the Support Services Division, stating he was trying to send an email to the Supervisor of the Customer Complaints section regarding the upcoming contract renewal. It was further stated the email would not go through. The perpetrator expressed the urgency of the email, and asked the receptionist if she would verify if the address was correct. The receptionist verified the Supervisors company email ending the call. The perpetrator then proceeded to send an email to the Supervisor posing as a client complaining there was an issue with the product list on the Company website. The email contained a hyperlink, which upon clicking redirected the Supervisor to a hijacked site, launching a key logger to run in the background of his PC. The key logger collected the Supervisor’s keystrokes, to include internal email address, usernames, and passwords. With this information, the perpetrator was able to send several emails posing as the Supervisor to other employee’s, gathering their usernames and passwords. Within twelve hours, the perpetrator was able to gain access to the confidential files.
In retrospect a review of current security policies and procedures should be conducted. The attached Security Recommendations and Testing Procedures should immediately be implemented. Only by doing so, the company will prevent a repeat incident.
Attachments: Security Recommendations; Testing Procedures
Security Recommendations
The security breach on November 11, 2011 has allowed this company to identify some weak points in the current security policies. Below are recommendations on how to remediate the weak points to prevent future attacks. * Proper Disposal of Company Documents – all company generated paperwork marked for disposal should be separated from regular trash. The paperwork should then be centrally collected in a secure area. Prior to final disposal, the documents should be cross cut shredded then picked up by a contracted organization, specializing in the incineration of paperwork.
* Additional Training – all company employees will go through bi-annual Security Training. Training will include a section concerning Social Engineering. This will encompass not to release internal company information such as email addresses, internal phone numbers, or employee names over the phone. In addition, employees should be instructed never to click on Hyper-links in emails.
* Update security software – all company computers will be kept current with the latest Anti-Virus/spyware software and ensure the popup blocker is enabled.
* Bi-annual Review and Testing – company security procedure’s will be reviewed bi-annually, tested, and updated if needed.
The previously stated changes will strengthen the current security policies, making the company less vulnerable to attacks and data theft.
Testing Procedures
To test the company’s vulnerability to social engineering attacks, bi-annual testing of the company’s security procedures will be conducted. The four areas that will be tested are outlined in the Security Recommendations attachment. * Disposal of Company Documents
To test this procedure, a fake company document will be created for each division and sent to all employees of that division. Then, an email will be sent to please disregard the document. Over the next two nights, a third party vendor will search the company trash to locate any copy of the fake company document. If a document is found, the division responsible will be required to conduct remedial training for all its employees. * Phone Procedures
Over the period of a week different receptionists will be randomly called from an outside line. They will be asked questions in an attempt to obtain employee’s first names or last names, email addresses, or for phone numbers. The following are sample questions which will be used during the conversation.
“I am trying to send an email to John Doe, but it doesn’t seem to be working. Can you verify the address for me?”
“I am trying to finish this contract paperwork, but have misplaced the paper with John’s last name, can you help me?”
“I just started last week, but can’t remember John’s extension. Do you know what it is?” * Email Hyper-Link Procedures
An email will be generated with a Hyper-Link, when clicked will collect the username and IP address of the Host. The following is a sample email which will be used.
“Good Afternoon, I am conducting a company survey as to who will be attending this year’s annual Christmas party. By completing the survey you will be entered into a drawing for exciting door prizes.
Prize 1- $1000
Prize 2- 2 days paid leave
Click here to complete the survey!
Thanks for your support,
John Doe”
Testing Procedures * Updated Security Software
To test this procedure a third party tool will be used to scan all systems on the network. The scan will collect security related information to determine if the PC is current with the Anti-Virus software, spyware, and to ensure the popup blocker is enabled.