One of my favorite stories involves an onsite Red Team Assessment (Social Engineering and Physical Assessment) that started off by exploiting the "daily grind". This particular assessment was a challenge because my co-worker and I were informed of the number of armed security guards onsite and only one entrance with a badge accessible elevator, limiting the floor access to "as needed". Because of this, we used some photo editing skills and a good ole office supply store to create a convincing replica of the badges to enter the building. Since I was the only one going into the building, we just made one fake badge for this assessment. With everything ready to go, I made my way to the company site, ready to see where and to what I could gain access.
On-site Red Team Assessment
With the fake badge on display around my neck, I was able to tailgate behind a line of employees who were entering the main floor. Next was the elevator. Once in line, I noticed that security was making sure EVERYONE badged in. This left me in a tight spot and risked blowing my cover too early in the assessment. At this point, I pretended that I had left something in the car and made my way back out of the building.
I sat in my car for a moment (in the facility's parking garage) and waited. I noticed a catwalk and watched as someone exited the building through a fire escape door and made their way to their vehicle. Bingo! I picked up my laptop bag, made sure my lock picks were within reach and decided to try picking the lock on the fire escape door. No matter how many times lock picking has been successful for me during engagements, I still manage to squint my eyes as the last pin sets and I turn the handle – you'd do it too if you saw a big "EMERGENCY ONLY" sign in front of you! Even though I had just witnessed someone leave through this door, the fear of setting off the alarm was still lingering over my fake badge, button up shirt, dress pants and laptop bag full of picks, tensors and keys. Success! The door opened without the alarm sounding.
Time to go exploring.
I was now inside and had, so far, managed to evade detection. While I observed and explored the place, I of course had to look at the locks on the doors. What did I find? A stairwell with several doors that had equally poor locking mechanisms (for your safety) of course.
I spent an hour or two of making my way up and down the different floors, nodding at my "fellow employees", snooping, taking photos of sensitive data and more. After that, I wanted to get inside the data center. Once I discovered where it was, I realized that the client took the extra step of implementing biometric access control, and there wasn't a single person going in or out while I observed.
What was I to do? They had floor-to-ceiling walls and a door that seemed to laugh at me. A different approach was needed.
After walking around the same floor, I noticed a security guard station with several monitors and a key box behind the desk. A guard and a maintenance employee were taking a coffee break. I went back to the door of the server room, grabbed a clipboard that was hanging beside it, and made my way to the security system installed in front of the guard, interrupting the coffee break:
"Sorry guys, I'll just be a moment. I need to get the serial numbers off of these devices. We are doing an inventory." I gave him the face of, "you know, the grind," shrugged and began writing down anything I saw.
"Not a problem," the guard responded after glancing at my badge. You can take them if you want. They don't work half of the time anyway," the guard chuckled.
"Oh yeah? What do you mean?" I asked, looking genuinely interested...because, well, I was.
"A couple of the PTZs (Pan/Tilt/Zoom) cameras are out, and I can never see anything clear enough because it isn't HD."
"Could you show me? Maybe I could get corporate to put something in the budget for some new systems." I made my way behind him, looking at the monitors. Without hesitation, the guard typed in the default password of '1111' and showed me the security issues of the building, where the cameras were located, which ones worked etc. I felt like I had walked into a candy store, and everything was mine!
After chatting up the guard and maintenance guy, I bid my farewells and stopped. "Oh...I almost forgot." Turning to the maintenance employee, I asked "You're with maintenance, correct?" He nodded.
"Awesome, I was needing to get up with you guys about getting into the server room to get some serial numbers." This was a big risk but, I figured, why not?
"Umm...I don't have access." He replied, looking at the guard.
"Not a problem. I can let you in." The guard sat up from his chair and escorted me to the server room. I thanked him for his help and told him that I could take it from there. At that point, the clerk had just given me free rein in the candy store. It was time to fill a bag with my favorite candy.
So, what do we learn from stories like this?
We learn that people will easily trust you and are willing to take your word for it, as long as you look the part, speak the lingo and can sympathize with the problems we face in a stressful corporate world.
How do companies prevent this?
It is simple: Security Awareness! Security Awareness! Coffee! Security Awareness! Some programs aren't robust enough to really get the point across as to the dangers of social engineering, and they often become routine – just another annoying email sitting in the inbox – waiting for you to complete the annual training, so that you don’t get into trouble if you miss the DEADLINE.
Employees need to understand that security starts with them.
What should this guard have done? What should the guard who just glances at a Letter of Authorization do? Validate. Due-diligence. Always double-check the story, especially when someone is claiming to need access to this or that or doesn't badge in. Understand that it's okay to take a minute to call and verify someone's story and/or credentials. Even if they seem irritated and inconvenienced, (as this is also another popular social engineering tactic), it's better to be safe than sorry.
You don't have to be paranoid, just be aware.