A friend passed this report [pdf] into Information Systems Security from the Western Australian Auditor General.

Key findings:

• Fourteen of the 15 agencies we tested failed to detect, prevent or respond to our hostile scans of their Internet sites. These scans identified numerous vulnerabilities that could be exploited to gain access to their internal networks and information.
• We accessed the internal networks of three agencies without detection, using identified vulnerabilities from our scans. We were then in a position to read, change or delete confidential information and manipulate or shut down systems. We did not test the identified vulnerabilities at the other 12 agencies.
• Eight agencies plugged in and activated the USBs we left lying around. The USBs sent information back to us via the Internet. This type of attack can provide ongoing unauthorised access to an agency network and is extremely difficult to detect once it has been established.
• Failure to take a risk-based approach to identifying and managing cyber threats and to meet or implement good practice guidance and standards for computer security has left all 15 agencies vulnerable:
• Twelve of the 15 agencies had not recognised and addressed cyber threats from the Internet or social engineering techniques in their security policies.
• Nine agencies had not carried out risk assessments to determine their potential exposure to external or internal attacks. Without a risk assessment, agencies will not know their exposure levels and potential impacts on their business.
• Seven agencies did not have incident response plans or procedures for managing cyber threats from the Internet and social engineering.
• Nearly all the agencies we examined had recently paid contractors between $9 000 to $75 000 to conduct penetration tests on their infrastructure. Some agencies were doing these tests up to four times a year. In the absence of a broader assessment of vulnerabilities, penetration tests alone are of limited value, as our testing demonstrated. Further, they are giving agencies a false sense of security about their exposure to cyber threats.

Some serious findings indeed, but it's good to see the Government performing thiese kind of assessments and trying to get some traction on remediation of findings.

Whilst reading the report consider how well your organization would have fared in this type of assessment.

I also found the link for the 2010 report [pdf]  for comparison.

Great little article over at SANS on Social Engineering in Real-World Computer Attacks

Threatpost is reporting the use of the more unusual malware vectors with a pentester sending bogus CDs and letters supposedly from the National Credit Union Administration containing training materials. The CDs, of course, contain malware and the real lesson is not to judge a CD by its cover letter.

There's nothing new about this type of attack vector; its similar to an old case of pentesters who left usb sticks outside their target and watched the employees 'find' the drives and then, as expected, plug them in their computers as soon as they got into the office.

While a well trained staff should have had second thoughts about the latter, the former is much more troubling. How would even a trained security officer know the difference between a 'real' training CD from an official body (or partner company) and a fake?

Many organizations are constantly receiving CDs in the mail, legitimate CDs from partners, regulatory and government bodies or software trials/updates from vendors. Should someone with malicious intent be targeting an institution (or institutions), then slipping this type of trojan-laden CD into the mail probably wouldn't be all that hard. Especially if it was disguised as something the organization was expecting or receives on a regular basis.

The downside of this type of spear-phishing attack is it becomes more difficult to maintain the level of anonymity that the internet can provide once you are passing out physical discs, so although it might have a higher strike rate for the attacker, the risks of being caught are also greatly increased.

I can recall once dealing with a company in the past who had simply removed all the CD drives from their PCs to stop employees bringing in malware. This is something similar to the old 'supergluing the usb ports' trick. While an effective measure, it is somewhat extreme and will more than likely cause more problems than it will solve.

Nonetheless this type of attack is a troubling thought for those tasked with protecting a company's information assets. The only good part is it is unusual and unlikely to happen to you, but might be worthwhile mentioning in your next security awareness course.