Winkler says he was once hired to expose a company's security vulnerabilities but was asked to avoid accessing the CEO's system. However, as he was leaving the executive suite, an assistant asked him, "Why didn't you update Mr. So-and-So's computer?" "There I was, sitting at the CEO's desk at a Fortune 50 company," he says. "I tried to avoid seeing anything sensitive, but I had to pretend I was doing something."

How to stop them: Employee awareness goes a long way. "Most organizations don't even remotely invest in staff awareness," Winkler says. "Most people seem to assume if you're in the building, you must be OK, and that's a presumption that criminals rely on. You need to have standards for what is and isn't appropriate and then reinforce that with a mind-set of challenging people who don't adhere to those parameters."

A second line of defense is to use protective tools such as screensavers with password controls, and to encrypt data and require strong passwords for employees with liberal access rights, such as IT administrators and C-level executives. "Most networks are poorly protected," Wood says. "We see trivial, stupid passwords in every firm we visit. Often, the password is the same as the account name."

Finally, classify information in terms of how valuable it is and store it accordingly, says Wood. Even by applying encryption and password controls to just the accounts of IT administrators and senior staff members, companies could solve 70 percent of the problem, he says. "It would make [accessing information] so much more difficult that it would be a major accomplishment," says Wood.

Posing as a visitor
Another way of infiltrating a corporation is by posing as a legitimate visitor, such as a telephone or electrical maintenance person, a burglar-alarm inspector, or someone from the fire department checking smoke detectors. Wood says he creates convincing costumes by purchasing a fluorescent jacket and work boots and downloading iron-on logos from the Internet. "The whole thing can cost $7," he says, which goes to show how useless physical credentials like business cards are today. Some things he has found while walking around buildings posing as a visitor include customer account details, payroll data disks, a voice-mail guide with default passwords, information about spending on advertising, bank statements, a staff directory, and whiteboards covered with notes about corporate strategy.

How to stop them: The identities of outsiders seeking access to the building must be verified with more than ID cards, Wood says. An employee should ask a visitor to identify his employer, and then the employee should verify the information on the Web and follow up with a phone call to the company to ensure that the visitor is legitimate. "It's tedious but necessary," Wood says.

Persistence pays. Once, when Winkler was posing as a person from corporate who needed a tour of a facility, he was interrupted by a manager who asked why he was being shown around. Winkler gave him a West Coast phone number. "It was 8 a.m. on the East Coast, so by the time he could reach anyone, I was out of the state," he says.

Web applications
Of course, not all spies take the low-tech approach; an increasing number are taking advantage of known insecurities in Web applications, according to a SANS Institute report on the Top 20 Internet security risks of 2007. The report names vulnerable Web applications as the top new risk, enabling Web sites to be poisoned, data stolen, and computers connected to the Web site compromised. In 2008, the report says, Web application attacks will grow substantially.