Page - 246 - in The Future of Software Quality Assurance

246 K. Yorkston regime? Both could be true. Or did you think of that strange phone call that a colleague answered yesterday? Or the last invoice of the thirty that Finance processed in their last payment run? Or the guy who just took your secure waste “fordisposal”?OrdidyouthinkofaworkmatewhoalwaysattachesaUSBdrive to machinesatworkandtakes ithomewith themeachafternoon?Or theofficeworker whoprintedan extracopyof the confidential report to pop into theoutgoingmail? Security isn’t only a bit of software that can be bought, installed and forgotten with theoccasionalupgradethrownin.Security isn’tonly thatsetofpasswordrules we are supposed to follow. Security isn’t only that locked filing cabinet, or a guard and a scan card reader at the front door. It includes all those things, and many, many more. We all need to think about security differently.Every organisationhas thousands of vulnerabilities—weaknesses that could be exploited by a malicious attacker. And, as a malicious attacker, I only need to find one vulnerability to exploit. It could be a helpful staff member holding the door open for a “fellow smoker”, or a person in Finance who believed that last phone call asking them to process“that important invoice”. Itmightbeanopencommsporton theproduction web server, or the unpatched server in the test environment. Or it could be the report listing last week’s customer contacts that is mailed to the sales staff each Monday (including the sales staff who have left the organisation). I mention these becausemycolleaguesandIhaveusedall these techniques(andmanymore) to test organisations.We aresecurity testers. But wait, you say. Don’t testers sit at a desk in an office and write and run tests against software? Yes we do. But we also dress up as delivery drivers or people in the waste disposal industry,or wear suits after making fake companypasses. What good is a fakebadge?Yousay it won’topen thesecuritygates in reception? You’reright—onitsownitwon’t. Itwould takeabout10min tocreatea fakeID card,as theyall tend tohaveaphoto,nameandcompanylogoon them(checkyour badge—am I right?) I have visited organisations and walked into reception purely to see the ID card design. Have a slightly confused look, map in hand, “Could you please tell mehowtoget to [anyaddressnearby]?” Or just wait for staff filingout at lunchtime.Then, into MicrosoftPaint (yes, the big budget hacking tool), print out onto paper, and with some sticky-back plastic over an old card, I now have a freshly made organisation ID card. Of course, it won’tpassclosescrutiny,butwhenwas the last timeanyonecheckedanIDcard?It getsa glanceat best.Next trick,howtoget throughthegate? Carry something.Literally, a big armfulof paper/books/boxes/whatever.As you approach the gate (and the guard casually glances at your freshly made card) you ask, “Couldyoupleaseopen thebarrier forme?I’mlate fora meeting . . .” And theorganisationhasbeenhacked.