IT Security Sleuths Walk Right In, Walk Right Out . With Confidential Data in Hand

BATON ROUGE, La. – Jim Stickley routinely walks into credit unions disguised as an exterminator or fire marshal and walks out with unencrypted data tapes and other goodies that could easily compromise the CU’s security, reputation and bottom line. Stickley is chief technology officer and vice president of engineering for TraceSecurity (www.tracesecurity.com), a Baton Rouge-based security and compliance software and services company formed in 2003 by the merger of two other IT security firms: Blaze Technologies and PatchPortal. The company’s client list includes government agencies, manufacturers, insurance companies, service industries and more than 375 credit unions, Stickley says. TraceSecurity offers a range of security-related services, including vulnerability assessments, network penetration and online application testing, compliance monitoring and hands-on social engineering forays. The company uses the traditional methods of calling CU representatives and other staffers and trying in different ways to obtain member information such as account numbers and balances, but also goes a step further. “The `Hi, this is Bill. Give me my account information’ approach on the phone is pretty pass’ at this point,” Stickley says. “We dress up and walk in.” Posing as such things as pest exterminators and fire marshals, Stickley says, the visitors from TraceSecurity often find they can easily shake their escorts and gain access to backup tapes, servers and more. “We’ve even put dongles on keyboards where loan applications are entered and come back in a couple of days, retrieved them and had enough confidential information to where if we wanted to do some serious damage, we’re all set,” he says. Of course, their intent is just the opposite. “When we’re done, we go back and give them a full report on what we took and how we took it, and we try to schedule follow-up training with the staff as soon as possible, ideally the next day,” Stickley says. “It has more impact when the guy they saw in the exterminator’s uniform one afternoon sits down with them in a suit the next morning. It’s a big wakeup call.” While not every ruse works every time with everybody, “we’ve never gone to an organization where we weren’t able to compromise one or more branches,” Stickley says. “It comes down to employees wanting to accommodate people. You ask for a cup of coffee, a piece of paper, anything you can to get them to go away for a moment. You also talk to them about their kids, my kids. “I’m not silver-tongued. I just look like a nice, friendly, typical American guy, and I’m in a uniform. That’s usually all it takes.” All tests are ethical and the testers don’t come back and name names, Stickley adds. “We’re not trying to get people in trouble. The mistakes typically are happening across the board anyway, and the real issue is to educate everyone.” The education effort takes place in person and online. Patch, policy and compliance training, including monitoring changes in regulations, all are offered through a single portal and can be pushed out by e-mail to employees who are required to review and mark that they’ve accepted and read them, Stickley says, observing that “that’s a kind of social engineering in itself.” Stickley says the company’s penetration testing methods and software are vendor-agnostic, as well, and stresses that TraceSecurity is not in the business of providing managed services. “You can’t manage someone’s firewall and IDS and all that and then test them yourself. That’d be a major conflict of interest, and we haven’t done it. Not since day one.” -