So, another trip down to London on the train and I’m reminded again of why I decided to start blogging this kind of message. Millions of pounds are spent on security yearly by businesses from gateway and “Next Gen” Endpoint technology through to SIEM, IPS and a whole raft of layered security models. But what about the end user? Today was a clear case in point that user awareness and social engineering training is equally important if you don’t want all that work being undone.
So here I am, sitting above my pay grade in first class, making my way down into King’s Cross. We have the usual mix of commuters and tourists, but being first class and this time of day, it’s more for former than the latter. Many of us sitting here with a laptop or tablet taking phone calls and adding to the general noise of the morning journey. Imagine my unsurprise when we hear a gentleman on the phone to his IT support department, with a conversation that went a little like this:
“Hi, My name is <Redacted> from <Redacted>, I’m having trouble getting access to my systems through the VPN, I’m on the train.”
Queue me perking up and bringing up his LinkedIN Page, seems he is rather senior in this financial organisation.
“Yes, my username I’m using is <redacted>, I’m still not able to get in. Yes, The IP I’m trying to connect to is <redacted>, I’m using the Cisco client.”
So this is where I start looking around the carriage to see if anybody else is taking this in, with one commuter in particular catching my eye and smirking. During this small conversation we have already obtained his name, company name and position, VPN username and connection IP address.
“Yes, might be my password, are you able to change this for me?”
One thing that stood out here before the bombshell was the lack of information after this point, there appeared to be no confirmation of who he was to the person on the other end of the phone in order to facilite the change of password request, although have to concede I’m unsure if this was somehow done in a manner I couldn’t see, still, it didn’t matter given the next thing he said.
“Sorry, the line is really bad, did you say my password was <redacted>?”
So there we have it, a short phone call from someone desperate to do some work before they reach the station and a total lack of awareness has lead to a potential security breach of quite serious proportions. There are clearly elements here we are still unsure of, for example, whether there is 2FA in place, or that the username is the same for the VPN and his network access, but all in all, this information is something that a malicious attacker could use to great advantage.
User Awareness and Social Engineering are key factors in a good security strategy, don’t be a <redacted>