When I was a kid growing up I was always enamored with the old cops and robbers movies. I was always amazed a the criminals terrible OPSEC even at a young age. I could never fathom how they didn’t get pinched with that striped shirt, mask and bag with the dollar sign on the side. Seemed like the obvious candidate back then.
Times have changed. Thieves don’t stand out as they could literally be anyone these days. Your personal information even has a monetary value in the darker parts of the Internet. Usually we find attackers attempting to steal information from financial institutions or even from healthcare facilities. Wherever they can get the information they need to steal as much money as they can get their hands on.
At the end of last week an interesting spin on this theme caught my eye in the news.
It's believed the suspects installed the devices, which allowed them to gain access to the personal information and data of students at Concordia.
Eight students have filed complaints with police, but investigators believe the number of victims is much higher.
Police say they are looking for two men who are possibly of North African or Middle Eastern descent and are between 20 and 35 years old.
These guys were simply brazen (and showed some ingenuity) in their approach to their data breach. They broke into the systems at Concorida University in Montreal. They installed their key loggers and left. Interesting approach here by collecting data from library systems.
Thankfully some staff at the library were alert and spotted the devices. The curious question that comes to mind is how long has this been going on at Concorida? Or even more to the point, where else has this activity been taking place? I would be curious to see if other universities have discovered similar instances. I don’t think it would be much of a stretch to think that this has taken place in more educational institutions that just this one.
This serves as a great lesson to have a strong monitoring regime in place in your organization. Do you have alerting in place to fire in the even someone inserts a USB device into a server in your datacenter? Do you have access controls in place to alert you as to who is coming and going from your data center?
This might seem rather basic on the face of it but, I have seen many instances over the years where companies would have all these great biometric controls, man traps, cameras and the like but, then they would prop open the back door so that the security guard could sneak out for a smoke break.
Another example of this was a law firm that I once did some work for on a contract. They had all manner of security controls for their paper files, an extremely diligent front desk staff. But, again the door to the emergency stairway was propped open because the it was “easier to get to the break room” on the next floor below. That floor had no such controls in place.
Monitoring your network and assessing your physical controls is not something to be taken lightly. Be sure to test your physical security in addition to verifying your network controls whenever you have an assessment conducted. Otherwise, the next time someone with a cake and balloons that comes to the gate might not be here for Sally’s birthday on the 7th floor.