A survey by Infosecurity Europe of 300 office workers and IT professionals has found that near two-thirds, 64pc, were prepared to give their passwords in exchange for a bar of chocolate and a smile.
The survey also found that 67pc thought that someone else in their organisation knew their CEO’s password with the most likely candidate being the secretary or PA.
The survey was carried out to find out how easy it was to extract peoples work passwords using social engineering techniques with literally just the offer of a chocolate bar for taking part in a survey. The survey was carried out amongst commuters in London rail stations and also at an IT exhibition of computer professionals, to see how much more security-savvy they were compared with the average worker.
IT succumbed
The survey found that it took a little more probing and a bit more coercion than the average office worker, but even the IT professional eventually succumbed to the questions of the attractive researcher who still managed to extract their passwords in exchange for a smile and a chocolate bar! The researchers asked the delegates if they knew what the most common password is and then asked them what their password was. Only 22pc of IT professionals revealed their password at this point compared to 40pc of commuters, if at first they refused to give their password the researchers would then ask if it was based on a child, pet, football team, etc, and then suggest potential passwords by guessing the name of their child or team. By using this technique, a further 42pc of IT professionals and 22pc of commuters then inadvertently revealed their password. This then took the total number of people who revealed their password to 64pc overall for both groups. What many of IT professionals failed to realise is that the researchers, who conducted the survey at the IT exhibition, had also read their names and organisation from their delegate badge as well!
No passwords
The survey found that 20pc of organisations no longer use passwords, with 5pc using biometric technology and tokens for identity and access management and a further 15pc using tokens. The average number of passwords used at work was five per person, with some using as many as 20. The frequency of changing passwords was 71pc monthly, 10pc rarely and 20pc never as they used biometrics and tokens instead. Some of the IT professionals said that the real issue was not user passwords but the passwords on servers or buried in applications which were never changed as the consequence of changing them on the overall company IT system was unknown and there was a fear that if they were changed a critical part of the system could crash. Some other IT experts said that they often come across servers on which the administrator password was left blank.
In the know
When asked if they knew any of their colleagues passwords 29pc admitted that they did. A person should never need to give their password to someone claiming to be from the IT department but 39pc said that they would give their password to someone who called them from the IT department. They would not be quite so trusting if asked by their boss as only 32pc said they would be prepared to give their password if asked. When asked about confidential information two thirds said that they would look at a file containing everyone’s salary details if they were sent it by mistake and 20pc said they would pass it on to colleagues. A third said that they would keep it confidential, with many of them also saying that their IT systems tracked everything they looked at and if they passed this type of information on to anyone it would mean instant dismissal. When asked if they would take any contacts or competitive information with them when they left their jobs, 58pc said that they would. One senior sales manager said ‘I left my job last week and took my whole pipeline with me’. Just under half of people used the same password they used for their corporate access for all their personal web accounts such as online banking, retailing, and email. When asked if they felt safe using online banking half said that they did but only a fifth said they felt safe using online retailing but this figure rose to 52pc if the retail site was a well know reputable one.
What they say
Sam Jeffers, Event Manager for Infosecurity Europe 2007 the number one event dedicated to information security which takes place at Olympia, London from April 24 to 26, said, “This survey shows that even those in responsible IT positions in large organisations are not as aware as they should be about information security. What is most surprising is that even when the IT professionals became slightly wary about revealing their passwords, they were put at their ease by a smile and a bit of smooth talk. It just goes to show that we still have a long way to go in educating people about security policies and procedures as the person trying to steal data from a company is just as likely to be an attractive young woman acting as a honey trap as a hacker using technology to find a way into a corporate network. The free education programme at Infosecurity Europe covers all the key issues of keeping information secure and there is a keynote dedicated to Identity Management”.
At Infosecurity Europe 2007 Lord Erroll will lead a panel debate on Identity Management examining how to pick the right tools for the job. The panellists will include Toby Stevens, Vice Chairman, BCS Security Forum, Andy Kellett, Senior Research Analyst, Butler Group and Maury Shenk, Partner, Steptoe and Johnson LLP & Head of European Legal Programme SANS. The keynote, which is free to attend for Infosecurity Europe visitors, takes place at 3.15 pm on Tuesday, April 24.
Comment
Andy Kellett, Senior Research Analyst, Butler Group commented on the issue of Identity & Access Management (I&AM) “Today, if there is one justified criticism of the I&AM sector, it is that the complete service-delivery model is too complex for most organisations to handle from a standing start. End-to-end projects that have been put forward to deal with all I&AM control issues have often proved to be unrealistic, and indeed, for some, far too difficult to achieve. Whereas organisations that have taken a more structured and prioritised approach to the I&AM service delivery model, have and do achieve better results in the long run.”
A survey by Infosecurity Europe of 320 companies has found that one quarter, 26pc, of organisations do not enforce a wireless security policy.
Further to this, interviews Infosecurity Europe additionally conducted with a panel of 20 Chief Security Officers (CSOs) of large enterprises on the topic revealed that they are concerned about what the future holds for securing pervasive wireless technology. Also the main concern is not about corporate users accessing a corporate wireless network from within their own buildings, the real danger occurs when users access wireless networks when they are out of the office and unwittingly connect to wireless networks that are insecure or even malicious.
No Wireless!
According to Phil Cracknell, President – ISSA UK “The situation right now is that most businesses do not scan their perimeters regularly. This is of course essential if you have a policy of ‘No Wireless!’ to ensure it stays that way. It is equally important to scan for new devices, rogue access points and drifting client cards that might choose to connect to networks nearby for a variety of reasons. One thing is certain, the last six years of wireless development have brought massive change to the way we use computers and the way in which they can be exploited. Experts have said since the start, “This is nothing new, use the same principles to secure the technology,” but looking back I am not sure that’s entirely true. We have seen here, concepts and attacks, the likes of which cannot be paralleled. The same principles would have to be so high level they would not be relevant. We have to innovate and adapt to counter the new wireless threats. Who was it that said, “If you keep doing what you’ve always done you’ll keep getting what you’ve always got?”
Show seminars
At Infosecurity Europe 2007 the subject of wireless security will be covered in a number of keynotes and seminars. Phil Cracknell, UK President, ISSA will lead a keynote panel on Wireless Security with Andrew Rose Global Head of IT Risk, Clifford Chance and John Meakin, Group Head of Information Security, Standard Chartered Bank. The potential wireless threats are numerous – man in the middle, Evil Twin, MAC spoofing, Denial of Service attacks, rogue access points, honeypot access points, ad hoc networks and mis-configured access points. This session will look at the common pitfalls, the philosophies, policies and procedures that can be implemented to protect the workforce from these threats. The keynote, which is free to attend for Infosecurity Europe visitors, takes place at 1.30pm on Tuesday, April 24. Sam Jeffers, Event Manager for Infosecurity Europe 2007 said, “With nearly every laptop available on the market being wireless enabled, coupled with the demand from users to be able to access the internet anywhere anytime, wireless security is a hot issue. It is encouraging to see that the majority of companies are enforcing a wireless security policy, but for those who are unsure of the why and the how, Infosecurity has the answers with a great line up of top security experts and the most comprehensive gathering of information security solutions in Europe.”
About the show
The information security show expects 300 exhibitors and 11,000 visitors. Infosecurity Europe runs at the Grand Hall, Olympia, London.
