ABOUT US

FORUMS

PARTNERS

PRODUCTS & SERVICES

FREE RESOURCES

JOIN
NOW!

You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

Watch this Blog Notify me by e-mail any time a new post is made to this blog.

Scott Wright's editorials on a variety of security issues for non-technical business managers and home computer users. Please feel free to comment and help spread the word that managers need to think about their information security risks.

The Virus Time Machine (e-Book)
Product ID: 00000007

... What You Need to Know (and Wish You Knew Before) About Removing Virus and Malware Infections Before you start down the path of trying to fix a virus infection on your computer, you should really understand what's invol ... More »

Non-Member Price: $4.99

November 2008 Posts

Is the problem with the technology, the procedures or the people?
Mon 24th 2008 @ 6:05 AM
Clicking on links is like hitch-hiking - you never know where you'll end up
Mon 24th 2008 @ 6:03 AM
Social engineering petrie dishies could easily be more secure
Mon 24th 2008 @ 6:02 AM
Book review - IT Governance: Guidelines for Directors
Mon 24th 2008 @ 6:00 AM
Visitor access logs can be used for unintended purposes by anyone
Thu 20th 2008 @ 3:00 PM
Deterrent safeguards - they can't prevent anything, so why bother?
Thu 20th 2008 @ 2:58 PM
What's your board doing with IT?
Thu 20th 2008 @ 2:55 PM
It's not that you can't trust them, but...
Thu 20th 2008 @ 2:54 PM
Getting to secure - incrementally and practically
Thu 20th 2008 @ 2:51 PM
Scott Wright's Security Views column is moving to The Streetwise Security Zone for your convenience
Wed 19th 2008 @ 9:23 AM
Getting on the blog wagon
Wed 19th 2008 @ 9:06 AM
Instant messaging in the enterprise... security threat, privacy threat or useful tool?
Wed 19th 2008 @ 9:04 AM
If you don't have integrity, what do you have?
Wed 19th 2008 @ 9:02 AM
Magic Crypto Fairy Dust
Wed 19th 2008 @ 9:01 AM
Debit Machine Tampering
Wed 19th 2008 @ 8:59 AM
USB Tokens Can Be Risky
Wed 19th 2008 @ 8:58 AM
Voice Over IP Security
Wed 19th 2008 @ 8:53 AM
Canadian Breach Notification Laws
Wed 19th 2008 @ 8:52 AM
Book - Beyond Fear by Bruce Schneier
Wed 19th 2008 @ 8:50 AM
Welcome to Scott Wright's Security Views
Wed 19th 2008 @ 8:41 AM

Social engineering petrie dishies could easily be more secure

Monday, November 24th 2008 @ 6:02 AM (not yet rated) post viewed 843 times

Originally posted - May 9, 2007

On occasion, I am struck with how unaware the management in some industries are of the number of risks they face in everyday situations. Take the hospitality industry. In between client meetings I sometimes look for a quiet, comfortable place to sit and do email or finish some work. Hotel lobbies are one of my favourites. I’m sure many business travellers would agree with me.

Within a 30 minute timeframe the other day in a hotel lobby, I made quick notes on every conversation the hotel staff around me were involved in while I was working. Given that I was sitting within earshot of the front desk, but 30 feet away, there were several revealing tidbits I was able to overhear.

Here are some of the types of information that was easily overheard from across the lobby:

The last names and room numbers of several guests checking in, and sometimes their company name or affiliation

Customer preferences, such as which room number a named guest must always have when he/she visits (as discussed between staff members)
Supplier issues and names of contacts within the supplier and the hotel for certain responsibilities
The best and worst employees, as identified by staff and guests
Screw-ups in bookings of groups between hotels
Hotel facilities and their locations

I’m sure there are many other types of information I could have learned if I stayed longer.

While some of these things are not necessarily considered sensitive information, they make it easy for attackers to put together plausible scenarios that give them access to information and places they shouldn�t have. It struck me that the staff sometimes get so bored, they have nothing else to talk about except guest incidents and how they handled them. While it seems innocent enough, it is a fertile ground for social engineering, data gathering, identity theft.

What could be done? Two things I immediately thought of, but I�m sure there are more:

Segregate the front desk from public seating or waiting areas with sound barriers that make conversations more private.
Train the staff to keep their voices down when discussing business issues in the open areas, on the phone or near other guests

Let me know if you have any other ideas of ways to better manage this kind of risk in the hospitality industry.

My live security awareness webinars are a quick and affordable way to provide your entire staff with professional quality security awareness training and education - whether it's general training or for specific teams or industries. I offer group rates and can tailor content to your specific needs. Please call or email me at the coordinates below, or CLICK HERE to see my training webinar catalog.

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

add a comment

rate this post:

Comments