econintersect.com
       
  

FREE NEWSLETTER: Econintersect sends a nightly newsletter highlighting news events of the day, and providing a summary of new articles posted on the website. Econintersect will not sell or pass your email address to others per our privacy policy. You can cancel this subscription at any time by selecting the unsubscribing link in the footer of each email.



posted on 13 October 2016

Watch Out For Workplace Intruders

from STRATFOR

-- this post authored by Ben West

A series of high-profile computer crimes has grabbed headlines this year. An elaborate CEO email scam netted fraudsters almost $100 million from Bangladesh's central bank in February. In the spring, the Panama Papers leak of stolen electronic files exposed thousands of individual and corporate offshore bank accounts.

The U.S. Democratic National Committee and state election commissions were hit by hackers who intercepted email communications. But a warning from the FBI office in Houston in early October reminded corporate security professionals not to overlook a well-worn tactic: the physical theft of sensitive material by people who intrude into workplaces. Much like the hackers who threaten companies' efforts to keep information secure, the old-fashioned "office creeper" can use a variety of methods to penetrate physical security and gain access to company property and secrets.

A Creeping Threat

On Oct. 4, the FBI issued an appeal to the public for help in investigating intrusions from 2015 into an unnamed international energy firm's Houston offices. The FBI released surveillance footage of the two incidents: one on June 25, the other on Dec. 30. In the June incident, a man wearing a dress shirt, slacks and a baseball cap entered the company's offices at about 3 a.m. through an unlocked security door. He can be seen walking the halls, getting in an elevator and leaving with two bags that he did not possess earlier. The man moves confidently - like an employee familiar with the building, not like a thief. The FBI is concerned that he may have taken sensitive material in a possible case of industrial espionage. (In the second break-in, the culprit is shown trying but failing to enter the company's main office suite and takes a security radio off a desk on his way out.)

It is easy to imagine the value of information that a major energy company would possess. Choice pieces of information could be worth millions of dollars to corporate rivals or foreign governments. Chinese intelligence services in particular have demonstrated an appetite for insider knowledge they could use to benefit state-owned enterprises. Recent revelations of an office intrusion at a renewable energy firm in Edinburgh, Scotland, appear to link an official Chinese state visit in early 2011 with an overnight burglary two months later that netted several thousand dollars' worth of laptops. A Chinese prototype of a wave energy machine similar to the Scottish company's design was released three years later. Authorities have not confirmed that the 2011 break-in was tied to Chinese industrial espionage, but the details surrounding the case suggest that the theft was more strategic than a simple burglary.

In contrast to the Scotland burglary, several factors indicate that the Houston incident was more likely the work of an opportunistic office creeper than a sophisticated spy. Electronic infiltration is the tactic of choice for leading industrial espionage powers such as China and Russia because of the broader access and lower risk it offers. If a human source is needed, foreign intelligence agencies or rival companies tend to recruit a current or recently departed employee to access proprietary information. When a state intelligence service directly engages in physical intrusions, its operatives demonstrate higher degrees of tradecraft (such as the ability to pick locks) than did the Houston suspect. In addition, sending an agent to nose around in the middle of the night is a high-risk/low-reward operation, an unlikely task for a well-trained professional.

Gaining Access

Office creepers are like computer hackers in that they seek access to unauthorized areas they can exploit for their own gain. Some are opportunistic, like the thief in Southern California who, in 2015, targeted offices during lunch hours, entering and stealing electronics when workers were most likely to be away from their desks. If confronted, he would claim that he was lost and ask for directions. Other intruders are more organized. One Ohio thief, Larry Cobb, would wear a homemade ID badge when he targeted offices during the early 2000s. Cobb was caught and sent to prison in 2007, but within a few months of his release in 2013, he returned to his old ways - this time with added sophistication. He recruited others to help him commit systematic fraud using credit cards filched from wallets and purses left unattended in the offices he burgled during regular business hours. Victimized employees rarely confronted him, even though they later said they had a strange feeling about him, and authorities say Cobb was involved in hundreds of office creeper cases over the years.

The most famous of the modern-day office creepers, though, is probably Ameenah Franks, who, like Cobb, served time in the early 2000s for stealing from employees after illegally accessing office spaces. Franks, however, went after much harder targets, including government agencies in Washington; the Federal Reserve Bank of Richmond, Virginia; law firms; and even the offices of the Nuclear Regulatory Commission in Maryland. Franks also returned to office creeping after her sentence was up, was caught and was sentenced again in 2016.

The tactics employed by office creepers and computer hackers often parallel one another. In at least one case, Franks used a stolen security access card to enter secure parts of a building - much as a hacker uses stolen or cracked passwords to access secure computer networks. The man who broke into the Houston firm in 2015 took advantage of a faulty door, like a hacker who exploits a backdoor system vulnerability. But the most common tactic used in both office creeping and hacking seems to be social engineering.

Social engineering is a type of confidence trick. An intruder convinces an authorized worker to give him or her access to an off-limits area. Franks repeatedly used this tactic to gain access to secure government buildings. She flirted with security guards, convinced people that she had left her badge at her desk, chatted up employees outside buildings and then tailed them inside, or stood outside entryways smoking while waiting for someone to open the door. Franks relied on her ability to convince people she was someone who she was not. More extreme versions of social engineering can involve the use of props, such as wearing a hard hat and carrying a clipboard, or carrying a toolbox and ladder, which gives employees a reason to open the door for the imposter.

A Deeper Danger

Many office creepers are simply out to steal personal property. That is just the tip of the iceberg, however, when it comes to the damage an intruder can inflict on a company and its employees. Espionage is a form of surveillance, and all of those familiar with the attack cycle know that pre-operational surveillance is critical to staging a successful attack. Energy companies, for instance, are often targeted by protesters to make a political point. If theprotesters gained access to a restricted office building, they would have many opportunities to wreak havoc through sabotage, disruptions or both in a bid to generate adverse publicity. A disgruntled former employee, anextremist with violent motives or a delusional individual could even take lives. In June, police arrested a man carrying firearms and explosive devices on a Google corporate campus. He had attacked the company's offices several times before because he thought Google was spying on him.

Physical infiltration can assist electronic infiltration and vice versa. Much as social engineering operations have been the root of many successful electronic intrusions, hacking groups also can benefit from gaining access to restricted areas to fill in information gaps about a company. In the case of the Bangladesh central bank, for example, investigators said the perpetrators used inside knowledge of the bank's communications and hierarchy to enhance the plausibility of their email scam. The Stuxnet worm, one of the most powerful computer weapons yet deployed, disabled Iranian centrifuges processing nuclear material in 2009-10. It is believed to have been introduced using a USB drive that had to be physically connected to a computer.

There are many reasons for people to enter unauthorized areas, including mundane curiosity. Though mechanical security systems are an important tool for countering intrusions, no system is perfect. Humans can override nearly all automated security measures, ensuring that social engineering will remain a threat to physical and network security alike. Companies can deter office creepers and the threats that they pose by practicing standard facility security measures: enforcing badge policies, restricting access with door codes and timers, and, most important, encouraging employees to confront people who try to follow them into restricted areas.

Confronting a Creeper

In many successful office creeper cases, employees cited the social difficulty of challenging people they do not recognize when working in a large office. More often than not, the stranger following you onto the elevator turns out to be a new employee or a co-worker from a different department. Calling someone out as a potential intruder risks embarrassment and offense, but there is no need for the interaction to be hostile. Regular workplace trainings can create an environment in which security enforcement is normal. For reasons that transcend good security practices, encouraging employees to introduce themselves to fellow workers makes for a better workplace. If you do not recognize the person following you into a restricted area, use the opportunity to meet him or her. If someone is not displaying an ID badge, make it a learning moment and remind the person that wearing badges is required. If the person's story does not check out or if he or she cannot produce the proper credentials, alert a security manager.

General awareness on the part of employees can dramatically improve corporate security and deter the majority of opportunistic office intrusions. Increased awareness of the social engineering threat can deter many electronic intrusion attempts as well. Practicing common-sense security measures will help preserve employees' property, work or, in extreme cases, their lives.

"Watch Out for Workplace Intruders" is republished with permission of Stratfor.

>>>>> Scroll down to view and make comments <<<<<<

Click here for Historical News Post Listing










Make a Comment

Econintersect wants your comments, data and opinion on the articles posted.  As the internet is a "war zone" of trolls, hackers and spammers - Econintersect must balance its defences against ease of commenting.  We have joined with Livefyre to manage our comment streams.

To comment, using Livefyre just click the "Sign In" button at the top-left corner of the comment box below. You can create a commenting account using your favorite social network such as Twitter, Facebook, Google+, LinkedIn or Open ID - or open a Livefyre account using your email address.



You can also comment using Facebook directly using he comment block below.





Econintersect Contributors


search_box

Print this page or create a PDF file of this page
Print Friendly and PDF


The growing use of ad blocking software is creating a shortfall in covering our fixed expenses. Please consider a donation to Econintersect to allow continuing output of quality and balanced financial and economic news and analysis.


Take a look at what is going on inside of Econintersect.com
Main Home
Analysis Blog
Joan Robinson’s Critique of Marginal Utility Theory
The Truth About Trade Agreements - and Why We Need Them
News Blog
Where U.S. Weekly Wages Go The Furthest
What We Read Today 09 December 2016
How To Stop Using Filler Words Like Um And Uh
02 December 2016: ECRI's WLI Growth Index Improvement Continues
Preliminary December 2016 Michigan Consumer Sentiment Highest Since Early 2015
October 2016 Wholesale Sales Improved
Rail Week Ending 03 December 2016: Finally A Positive Month
November 2016 CBO Monthly Budget Review: Total Receipts Up by 1 Percent in the First Two Months of Fiscal Year 2017
Infographic Of The Day: Copyright - Illegal Download
Early Headlines: Asia Stocks Mixed, Oil Steady, Bank Mafia, Trump To Remain TV Producer, US Life Expectancy Down, India Stocks Suffering, Park Impeached, China Struggles To Support Yuan And More
Heavy Metal And Hard Rock Albums That Went Certified Diamond Status
Down The Drain: Wastewater With The Most Cocaine
Apple's App Store Set For 5 Million Apps By 2020
Investing Blog
Investing,com Weekly Wrap-up 09 December 2016
Are Your Trade Entries Patient Enough?
Opinion Blog
Looking At Everything: Trump's $1 Trillion Infrastructure Plan
The Global Financial Mess Is Due To Political Failure
Precious Metals Blog
Silver Prices Rebounded Today: Where They Are Headed
Live Markets
09Dec2016 Market Close: Wall Street Closes On A New High, Trump Sugar High, Crude Prices Testing Resistance, US Dollar Melts Higher
Amazon Books & More






.... and keep up with economic news using our dynamic economic newspapers with the largest international coverage on the internet
Asia / Pacific
Europe
Middle East / Africa
Americas
USA Government



Crowdfunding ....






























 navigate econintersect.com

Blogs

Analysis Blog
News Blog
Investing Blog
Opinion Blog
Precious Metals Blog
Markets Blog
Video of the Day
Weather

Newspapers

Asia / Pacific
Europe
Middle East / Africa
Americas
USA Government
     

RSS Feeds / Social Media

Combined Econintersect Feed
Google+
Facebook
Twitter
Digg

Free Newsletter

Marketplace - Books & More

Economic Forecast

Content Contribution

Contact

About

  Top Economics Site

Investing.com Contributor TalkMarkets Contributor Finance Blogs Free PageRank Checker Active Search Results Google+

This Web Page by Steven Hansen ---- Copyright 2010 - 2016 Econintersect LLC - all rights reserved