Privacy & Data Security
|Apr 27, 2003 6:04 pm
||Cleaning Crew -> ID theft??
| K. E.V.
|| ran a search looking for cases where cleaning crews were responsible to perpetrating identity theft-type crimes. Surprisingly I found only a couple instances. Does anyone have any links or references to such info.
Here are the results of my search:
1. Cleaning workers' caught on tape
2. Using a stolen SSN, a man becomes a cleaning crew supervisor and
steals computer equipment (a loss of the confidentiality, integrity and
availability of information):
3. Case #1: $80K worth of computer equipment stolen by cleaner
Case #2: Employees provide SSNs and other identifying data to open
fraudulent credit card and bank accounts.
4. Cleaners steal financial information from a home and acquire
5. Cleaning turns down an offer to purchase trash (June 2000). The
cleaning company's general manager reported the incident.
I know this wasn't quite what you are looking for. However, it does
demonstrate that intruders will go to great lengths to try to obtain
sensitive information from trash.
6. I also found an interesting article detailing how a tiger team
compromised a site:
It mentions social engineering the cleaning crew:
Frequently, we find that the cleaning crew has a building Master key.
Sometimes they have a Grand Master or even a Great Grand Master, which
might open every door in all of the buildings. Usually a little social
engineering will convince them to let us borrow the key to certain
closets (we're usually after the telecommunications closet/room) for a
few minutes. That's all the time that we need.
It is a good example of how the pros break in.
My company implements physical security in the
form of keypads at the entrance to all buildings
and suites. At times there are individuals that
leave confidential info (files, reports, etc.)
on their desks and not in locked storage
The cleaning crew aren't the only ones you need to worry about. Office
space is also frequented by visitors, consultants, vendors, maintenance
and fellow employees. The response you'll receive to this would probably
be "We don't have to worry about employees". There is an example above
of bank employees stealing social security numbers. I suspect it will be
easy to find other cases of disgruntled employees on the web. ;-)
The response I consistently get is "of course the documentation
is secure - you need a code to get into the building." While
this is a reasonable level of security,
There are many other ways to get into a "secured building":
* Using a valid ID badge
* Doors or windows left ajar - doors may not close automatically. Locks
may not engage on their own.
* Social engineering
It is important to stress the concept of layering here. Management is
relying on perimeter security (hard on the outside, soft on the inside).
I always argue that cleaning crews have access to all such areas,
to which I get the following response: "yeah, but they are all
bonded. So we're protected."
The analogy I would use here are the people that boldly walk out in
front of oncoming traffic. I suspect they are thinking, "They'll stop.
They don't want to deal with the consequences of hitting me". What does
that matter if you're dead?
It is easier to institute a clean desk policy than deal with the
aftermath of a serious disclosure.
As an aside, there are no guarantees that the company would be able to
pin the breach on the cleaning crew. If they did, would the
reimbursement be equal to the damages? I doubt it.
Management needs to be serious about security. I suspect that they do
not want to champion security initiatives to the user community. In
order to do that, they need a good understanding of information security
(threats, vulnerabilities and consequences). They also need to believe.
Try not to get in the habit of proving obvious specific security needs
to them (i.e. clean desk policy). Your time would be better spent
educating them about INFOSEC in general. This way, they can speak
extemporaneously when challenged by the user community.
It sounds to me like you're where the rubber meets the road. Have you
sent e-mail clearly stating the threat and need for a clean desk policy?
I've found that people react differently when requests are made in
writing. This also gives you the opportunity to clearly make your case.
If you've done everything you can to convince them and are turned down,
protect yourself by backing up the e-mail exchange to a file (last
resort). If an incident occurs, you can protect yourself.
Private Reply to K. E.V. (new win)