Compared to the bank, this job should have been harder by several magnitudes. But it wasn't.
"I had to get through eight security guards that were in the elevator lobby, not the office lobby, but the elevator lobby," Street explained.
Equipped with a forged email, Street waited until the late afternoon to make his move, the time of day where there was a lot of foot traffic in the lobby.
Striking up a conversation with a security guard, Street eventually starts talking with a person who was going up to the target's office. This conversation gave the appearance that Street belonged. To an outsider, in this case the guards operating the checkpoint, he was supposed to be accompanying the employee. This brief confusion allowed Street to obtain a security badge that included his name and picture from one of the guards. With that in hand, he was able to access to the target's floor.
He moves through the office and installs malware onto the CFO assistant's computer. His actions draw the attention of a network administrator, who confronts Street. The network administrator told Street that he had noticed a spike in network traffic coming from the assistant's computer, and came to investigate the incident.
"I gave him the forged email, that basically says that I'm supposed to be there doing a surprise inspection, because the owner's not happy -- creating all this confusion. He ended up walking me to every single other machine to install the rest of the malware," Street said, adding that the administrator assumed he was supposed to be there, due to the email and the security badge obtained in the lobby.
"The only thing worse than no security, is a false sense of security."
Avoid candy and smiling faces:
As kids, most people are taught about stranger danger, and Street thinks this idea should continue into adult life, especially where information security is concerned.
"Stranger danger isn't just for kids. We should never lose that. Stranger danger in your secured area is just as relevant if you're a child on a playground, or an employee in your workspace. If you don't know who this person is, find out who they are," Street explained.
The key thing that organizations can do to help protect both the company and its employees, he said, is to arm them with information that they can use.
For example, a phone number that can be called to report something suspicious, such as an unusual email, someone walking around out of place, unusual Internet activity, even something as simple as a business process that's being done differently than it should be. Again, the key is to empower the employee and encourage them to call the number. Sure, false positives are certain, but those can be dealt with.