woensdag 25 februari 2009

Process hacking

When people I know start talking about 'hacking' in the original mean of the word [making things happen by means that it was not designed for], we most of the time stick to some technical mumbo jumbo, as the boss likes to call it.

That is something our whole industry likes to do. Did and does. No matter how many times we get bitten in the arse by people doing things wrong, we like to forget about the art of social engineering, simply because it is too difficult to do something about and because it does not sell boxes that smell nice because they are new.

I have spend quite some time working for|in|with large organizations and these are the places where social engineering works best. Employees do not know each other, low raking employees have been given a bullucking by their 'superiors' for sticking to the rules, etc.

The bigger the organization, the larger the piles of documentation with rules and exceptions. Fertile ground for those who want to get things done, their way :P

Getting access to buildings is easy, specially with the no smoking inside. Every company has a percentage of people who are addicted and these people -will- find ways to get out & in without too much hassle. Be it the emergency exit, be it a rooftop, but like water: they will find a way.

A novel trick I found lately was that after some of the smokers who used to leave via the front door but where called into the managers office after he'd seen the in-out time table, is getting a visitors pass for walking in & out unregistered. Smart. Of course I had to try to see how difficult it was to get one of those: frighteningly simple. Since so many had explained the situation with the security people, showing a packet of cigarettes was enough to trigger the knee jerk reaction of handing out a temporay access badge.

The same happens with the ordering process. Since all has been 'centralized' and 'standardized' it might take up to 6 months to get an order through [correct, this is a very bad and seldom example]. Because the supplier knows and has been trained to deliver orders before the paper work is 'completed', it is trivially simple to get any kind of hard & software shipped without passing the regular process. Most of the time the supplier will get his formalized order some time later but when he doesn't he just faxes the delivery notification to the ordering department and since they are used to things to go wrong, will send him a proforma so he will be able to bill.

More of the same is with changes to infrastructure. Since all self respecting organizations have CABs [Change Advisory Boards], where as we all know the most anal & inexperienced people waste their time, that take forever to approve the most basic changes but will happily waver changes with impact beyond the minimal description. This is how 'the insiders' get things done: there old an trusted social network.

In the role of PM or as auditor I do the same. I spend a large part of my time setting on desks, hanging around the coffee machine, lunching with [key-] people from the departments that actually do things. By constant name dropping and revering to 'john from RM', by reinforcing the well known fact that the official processes 'do not work' and 'the last reorganization undid the one before', confirming that 'the management' costs & wastes money, this way I get my rules, my connections, my targets met and implemented.

So if you get all exited when you find company xyz is still running that well knows bugged version of the Internet facing software, remember that I get the same happy feelings when I see people with ties and temporary badges :P

EDIT: Found people who actually give classes http://secinmotion.blogspot.com looks good.

Geen opmerkingen: