Security Breach Discussion
Read the following scenario below. Once finished reading, follow the discussion question instructions.
An auditor was hired to determine if he could gain access to the network servers of a printing company that contained important proprietary information. The chief executive officer (CEO) of the printing company boldly proclaimed that breaking into the servers by the auditor would be "next to impossible" because the CEO "guarded his secrets with his life." The auditor was able to gather information about the servers, such as the locations of the servers in different printing plants and their IP addresses, along with employee names and titles, their e-mail addresses, phone numbers, physical addresses, and other information.
The auditor also learned that the CEO had a family member who had battled through cancer and lived. As a result the CEO became involved in cancer fundraising. By viewing the CEO's entry on Facebook, he was also able to determine his favorite restaurant and sports team.
The auditor then called the CEO and impersonated a fundraiser from a cancer charity that the CEO had been involved with before. The auditor said that those individuals who made donations to this year's charity event would be entered into a drawing for prizes, which included tickets to a game played by the CEO's favorite sports team and gift certificates to area restaurants, one of which was the CEO's favorite.
After stoking the interest of the CEO in the fake charity event, the auditor said that he would e-mail him a PDF document that contained more information. When the CEO received the attachment he opened it, and a backdoor was installed on his computer without his knowledge. The auditor was then able to retrieve the company's sensitive material. (When the CEO was later informed of what happened, he called it "unfair"; the auditor responded by saying, "A malicious hacker would not think twice about using that information against you")
Answer These Questions:
- Now pretend that you are an employee of that company and that it is your job to speak with the CEO about the security breach.
- What would you say to him? Why?
- What recommendations would you make for training and awareness for the company?