The Imposter Scenario
A few years back, Kapil Raina, a security expert at Verisign and coauthor of mCommerce Security: A Beginner's Guide (Osborne McGraw-Hill, 2001), recounted an actual workplace experience with a previous employer that shows how a group of strangers walked into a large shipping firm and walked out with access to the firm's entire corporate networklock, stock, and barrel.
How did they do it? In the words of Jodie Foster in the film Contact: "Small moves." The strangers obtained small amounts of access, bit by bit, by non-technical means, from a number of different employees in that firm.
First, they needed to know who the players were at the firm, so they researched the company from afar two days before entering the premises. With a simple phone call to the company's HR department, they were able to learn the names of the key employees. Using the information they obtained from HR, they were able to ascertain that the CFO was out of town. That was the opening they needed.
The next day they visited the offices of the firm and acted as if they had lost their key to the front door. Someone standing by the door (not necessarily an employee) let them in. When they approached one of the firm's secure areas, they sheepishly said they lost their identity badges, smiled, and a friendly employee opened the door for them.
Once in, the intruders made their way to the CFO's office and obtained financial data from his unlocked computer. But they didn't stop there. Once in his office, they rummaged around the area, including digging through his trash pail. This revealed all kinds of useful documents. Adding insult to injury, they asked a janitor for a large garbage pail to place the contents in, and carried all of this data out of the building unopposed.
Once away from the building, the strangers, after studying the CFO's voice, were able to phone into his office, pretending to be him. Acting in a rush, the "CFO" demanded that his assistant give him his network password. Of course, he got it. From there, they used regular technical hacking tools to gain superuser access into the company's network.
Luckily, there's a happy ending to this story. The strangers were network consultants performing an annual security audit for the CFOwithout the firm's employees' knowledge.