The latest risk to IT security – smoking

IT contractors browsing the jobs market from now until July shouldn't be surprised if client companies refuse their expertise because they smoke.



Adverts stating the candidate must be a non-smoker may emerge due to security, not because of the incoming smoking ban, nor because of the health risk to the wider workforce.



In fact, nicotine-hungry IT personnel pose more of a security risk than those without the craving, suggests a new empirical research from a UK consultancy.



According to details of the social engineering experiment by NTA Monitor, the security firm placed one of its testers outside a building owned by a large corporate.



Without needing to display a name badge or pass, the tester was able to "easily gain access" into the building through a back door that was left open for smokers, the firm said



Once inside, the tester used the social banter of smokers to help gain directions to a meeting room, amid claims he had been summoned by the IT department.



Without being quizzed about his identity, and despite not having a pass to access the rooms, the tester was granted access – alone, allowing him to connect a laptop to the VoIP network.



"This latest social engineering test has proved that once inside a corporate building, an attacker can use social methods on employees to gain access to restricted areas and information if a rigid staff pass system is not in place," said Roy Hills, technical director at NTA Monitor.



"It used to be that companies 'left the back door open' in terms of internet security. Now they are literally leaving their buildings open to accommodate smokers. We are experiencing a surge in demand for social engineering tests as hackers are turning to social techniques to infiltrate corporate networks."























Feb 20, 2007