Top	[This Network is not currently active and cannot accept new posts]
<- Previous	Next ->

1219 hits

Apr 27, 2003 6:04 pm		Cleaning Crew -> ID theft??
K. E.V.		ran a search looking for cases where cleaning crews were responsible to perpetrating identity theft-type crimes. Surprisingly I found only a couple instances. Does anyone have any links or references to such info. Here are the results of my search: 1. Cleaning workers' caught on tape http://www.cleveland.com/sun/news/bj800080.html 2. Using a stolen SSN, a man becomes a cleaning crew supervisor and steals computer equipment (a loss of the confidentiality, integrity and availability of information): http://www.ssa.gov/oig/investigations/caseofm 3. Case #1: $80K worth of computer equipment stolen by cleaner Case #2: Employees provide SSNs and other identifying data to open fraudulent credit card and bank accounts. http://www.ssa.gov/oig/ADOBEPDF/03072000testimony.pdf 4. Cleaners steal financial information from a home and acquire identity. http://www.identitytheft.org/bankinv.htm 5. Cleaning turns down an offer to purchase trash (June 2000). The cleaning company's general manager reported the incident. http://www.landfield.com/isn/mail-archive/2000/Jun/0099.html http://zdnet.com.com/2100-11-502575.html?legacy=zdnn I know this wasn't quite what you are looking for. However, it does demonstrate that intruders will go to great lengths to try to obtain sensitive information from trash. 6. I also found an interesting article detailing how a tiger team compromised a site: http://www.scmagazine.com/scmagazine/2001_11/feature.html It mentions social engineering the cleaning crew: Frequently, we find that the cleaning crew has a building Master key. Sometimes they have a Grand Master or even a Great Grand Master, which might open every door in all of the buildings. Usually a little social engineering will convince them to let us borrow the key to certain closets (we're usually after the telecommunications closet/room) for a few minutes. That's all the time that we need. It is a good example of how the pros break in. My company implements physical security in the form of keypads at the entrance to all buildings and suites. At times there are individuals that leave confidential info (files, reports, etc.) on their desks and not in locked storage cabinets, etc. The cleaning crew aren't the only ones you need to worry about. Office space is also frequented by visitors, consultants, vendors, maintenance and fellow employees. The response you'll receive to this would probably be "We don't have to worry about employees". There is an example above of bank employees stealing social security numbers. I suspect it will be easy to find other cases of disgruntled employees on the web. ;-) The response I consistently get is "of course the documentation is secure - you need a code to get into the building." While this is a reasonable level of security, There are many other ways to get into a "secured building": * Piggybacking * Using a valid ID badge * Doors or windows left ajar - doors may not close automatically. Locks may not engage on their own. * Social engineering It is important to stress the concept of layering here. Management is relying on perimeter security (hard on the outside, soft on the inside). I always argue that cleaning crews have access to all such areas, to which I get the following response: "yeah, but they are all bonded. So we're protected." The analogy I would use here are the people that boldly walk out in front of oncoming traffic. I suspect they are thinking, "They'll stop. They don't want to deal with the consequences of hitting me". What does that matter if you're dead? It is easier to institute a clean desk policy than deal with the aftermath of a serious disclosure. As an aside, there are no guarantees that the company would be able to pin the breach on the cleaning crew. If they did, would the reimbursement be equal to the damages? I doubt it. Management needs to be serious about security. I suspect that they do not want to champion security initiatives to the user community. In order to do that, they need a good understanding of information security (threats, vulnerabilities and consequences). They also need to believe. Try not to get in the habit of proving obvious specific security needs to them (i.e. clean desk policy). Your time would be better spent educating them about INFOSEC in general. This way, they can speak extemporaneously when challenged by the user community. It sounds to me like you're where the rubber meets the road. Have you sent e-mail clearly stating the threat and need for a clean desk policy? I've found that people react differently when requests are made in writing. This also gives you the opportunity to clearly make your case. If you've done everything you can to convince them and are turned down, protect yourself by backing up the e-mail exchange to a file (last resort). If an incident occurs, you can protect yourself. Private Reply to K. E.V. (new win)

© Ryze Limited. Ryze is a trademark of Ryze Limited.  Terms of Service, including the Privacy Policy