Information life cycle [CISMP]
Agent Smith 3: Information risk management

In this course, you will discover the structures policies and practices which provide a basis for developing the organisation’s information security.


Voiceover: Smith is feeling rather smug. This has almost been too easy. They decide to do a little more snooping and see if any other opportunities present themselves. Walking slowly down the rows of desks, they spot someone who seems to be distressed. The employee is on the phone, telling the person on the other end that something is wrong with their laptop. It seems to be glitchy and none of the files will synchronise with the server. Smith waits for their moment to strike and, as their target hangs up, approaches them, introducing themselves as a member of IT. Smith tells the employee that they happened to overhear their conversation while on the way to grab a cup of coffee. The employee is glad to see Smith, letting them know that they work in finance and that their name is Maria. Smith offers to help and Maria accepts. After all, surely only fellow employees would be strolling through the office. Smith strikes rapidly and discovers that the laptop is faulty because it's unpatched. Unlike Tana's laptop, this one is vulnerable. Smith tells Maria that they just need to download the patch and that they'll need 15 minutes to get it sorted. Maria is relieved and gives Smith the space to work. With that, Smith installs a backdoor tool which can allow further exploitation later. They log into a malware delivery site and install a worm, a powerful piece of malware that they can use to infiltrate the system. When Maria returns, Smith is nowhere to be seen. 

Mark: So, this is a social-engineering attack. He's looking for opportunities, he's listening to conversations, he'll be-, and he can hear that there's a, a-, somebody in distress, needs IT support. So, he's listened to it and he's formulated a way of getting into the situation by adopting the posture of being a IT support engineer. So, when she comes off the phone, he becomes the knight in shining armour and says, 'I'm an IT person. I'm just around. I'm sorting out, probably, someone else's machine. Let me get access to your machine. I can probably fix your issue'. He then gives her some technobabble, which is just, you know, some technical terms and stuff like that, which people don't necessarily understand, but it's a good way-, he seems to know what he's talking about, basically. So, she then gives him access, and he says, 'yeah, go away. I'll be able to sort your problem out'. And while he does that, she's-, obviously, her machine's still open, which then, he's got access to her HR records, so he can see her name, her date of birth and all these type of information. He makes a, a-, obviously, a record of that information on there, and maybe some other sensitive information comes on there. He then installs a worm, which obviously can be used to spread across the network, and he probably creates a backdoor which could then be later used in an attack later on. And that's what he's done in this scenario. 

So, straight away, go back to our training and education and awareness thing. We learn from our training and awareness that not everyone that presents themselves in front of you are who they appear to be. If they haven't got a badge on, then they need to be challenged. This person might not have a badge. They've got access to the systems because they've already got authorised access, but they might not have access. And we could've made a phone call to the IT department to verify this person's identity before allowing him onto the computer. So, challenging him would obviously-, in an ideal situation. We could also block USB devices from being, being able to install any type of malware onto the system. 

This reminds me of an example with my colleagues. So, one of my colleague, what he did was he made a phone call. So, he was driving around. He made a phone call to the security guard saying there was a problem in the comms room, and he said, 'there's a potential burnout, you know, situation'. So, he came out, and he'd got urgency in his voice, and he says, 'I'm the local engineer. I'm driving around. This is my name, this is my credentials. I am aware. I've been alerted by the system. I'm only 15, 20 minutes away'. So, he's automatically got his foot in the door in terms of an explanation. He then turns up at-, with the security guard, provides some form of credentials to the security guard, the security guard remembers his name and gives him direct access into the comms room, and my colleague removes some equipment and walks away from it. And that was a penetration test, but that's a very good example of that type of activity. So, penetration tests, in this situation, would also be an ideal scenario, to see if we're vulnerable to these type of attacks and how people can respond to it with these type of scenarios. And that's a best way to do-, to look at, at the situation and how to deal with it. 


About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.