All in all, this was a busy two days--yes, two days--though some time was spent sitting around waiting. Generally, all company information was available to us. We didn't have any information that a malicious party couldn't have found independently and with minimal effort.
My team has a great deal of intelligence experience. We didn't focus on accessing computers, but on accessing information. That's really what espionage is about. By focusing on critical information, such as the CEO's account, we got results fast. Computer access was key, but it was only important in that it gave us access to the information. We didn't bother to break into computers for the sake of breaking into computers.
Although some might say we were just lucky, my teams consistently have this level of success in this time frame. Intelligence pros go through years of training so they can rapidly identify and exploit vulnerabilities that give access to critical information. The people who will cause you the most harm are the professional and malicious criminals who want to access your information or cause you damage without being detected. Although these criminals might not get the same results as we did in two days, they have more funding and time than my team was granted.
Ira Winkler, CISSP, is president of the Internet Security Advisors Group and the author of Spies Among Us (Wiley, 2005), which contains additional case studies. Write to him at at [email protected].
Thinking of hiring a convicted criminal to do your penetration testing? Think again.
Some companies knowingly hire convicted computer criminals to uncover security holes, in the hopes of reaping benefits from their expertise. This is a big mistake. As our espionage simulation shows, we gained access to just about all the information inside the company. This included data that could be valuable in a wide variety of crimes, such as industrial espionage and insider trading, as well as data that could cost people their lives, such as the CEO's aircraft tail number and flight itinerary into hostile environments. You must assume that any security assessment will give you similar access. To knowingly provide felons with the opportunity to access this kind of information would be grossly negligent on the part of any security professional or other company executive or employee. In fact, you should insist that your vendors perform background checks or only use people with clearance to do such work. This requirement should be included in your company's requests for proposals and contracts.