When Security Gets Physical
Our security specialist Neil Gibb walks us through a typical day on his job undercover and shares sage advice for shoring up your defences.
The Rise in Physical Social Engineering Attacks
Over recent years, I’ve witnessed a shift in attack types, from digital-based crimes to the targeting of an organisation’s physical boundaries – typically via employees themselves.
A physical social engineering assessment is a branch of penetration testing and red teaming. In a nutshell, it’s a way of testing your bricks and mortar defences. In my last blog – The Danger Within: Why the Best Security is More Than Your IT, I listed some of the common tactics criminals deploy to breach business premises. For example, by:
- impersonating someone with a legitimate purpose, e.g. to repair a printer
- cloning an access card
- tailgating – getting up close and personal by following someone through a security door
The service is in high demand by financial organisations, but other sectors are cottoning on to its worth. While the lessons learned can be sobering, hearing from ethical hackers about loopholes in your security doesn't come close to the pain of an actual breach.
My Mission, Should I Choose to Accept it
Late in 2018, a finance company approached us to conduct a physical social engineering assessment. They’ve invested in various security measures (at no small cost) and wanted to test their effectiveness. For obvious reasons, I can’t compromise our client’s confidentially, but they’re a high-street name. The stages of the exercise were:
- Build knowledge of the target organisation using Open Source Intelligence (OSINT), which involves garnering information freely available on the internet. It’s done in two ways: automated tools and good old-fashioned detective work. You’d be surprised at some of the sensitive information anyone with an enquiring mind can find within minutes!
- Active reconnaissance - a term borrowed from the military. It’s a way of testing an organisation’s defences before going on to exploit them. In the context of physical security, this could be observing how people come and go from the building or identifying doors left ajar in summer or for smokers.
- Develop an appropriate social engineering attack scenario based on the intelligence gathered. In this case, an event hosted by the company at their HQ presented a viable opportunity.
- Deploy the attack scenario to gain entry to the target organisation.
- Following successful access to the premises, identify other opportunities to compromise the target’s security. For example:
- unlocked offices, server rooms and filing cabinets
- information on desks – files and passwords on post-it notes (yes – it still happens!)
- leaving a backdoor; facilitating permanent remote access to the target’s network.
What Happened Next…
The company was hosting an event for potential clients at their HQ. Using a false email address and purporting to belong to a legitimate company, I was able to secure an invitation. I also set up a fake LinkedIn account to back up my bogus identity.
Suitably suited and booted, I attended the event, held in an area of the HQ sectioned off from sensitive business areas. Security personnel were posted at every possible ingress point, guarding against unauthorised access.
Assuming an authoritative air, I bluffed my way past one of the security team by telling them I had a meeting with someone. Thanks to earlier research, I named a senior person who I knew to be in the building. Having breached the sensitive areas, I removed my jacket and switched my visitor’s lanyard for a fake staff ID pass, copied from pictures taken during my initial reconnaissance. I proceeded to tailgate my way through other controlled entrances. Someone even politely held a door open for me.
Had I been a bad guy, I would have enjoyed rich pickings. Confidential information was lying on unattended desks. Workstations were left logged on as people fetched coffee. Using a USB stick, I was able to copy details and download files in seconds. I kept my mobile phone to my ear the entire time, having now assumed the persona of a member of IT busy sorting out a problem with a colleague.
At no point did anyone challenge me. Job done - lots to report to the client. I want to be clear that I take no perverse satisfaction in catching anyone out. That’s not the point of the exercise. Had I been summarily ejected onto the street, I would still have achieved my objective: namely, I would be able to tell the organisation about the effectiveness of their security.
Like many financial institutions, considerable effort and expense had gone into the security of the client’s building. In this case, RFID controlled barriers at all entrances, security guards and CCTV. Most of their internal doors lock automatically on closing and open with ID cards.
In common with most organisations, the flaw in the target’s defences wasn’t because of failings in their physical security architecture. Instead, it came down to employees who are untrained, complacent or don’t care.
Human vulnerability is a significant problem across all industries. It requires a continuous approach and regular remediation to stay ahead of criminals, who are only too ready to profit from the smallest gaps in your security posture.
The hard truth is that this scenario, had it been a real-world attack, could have been catastrophic for the company. Think of the potential losses: reputational, financial (through theft or fines by the regulator), operational downtime, breach of customer trust. It’s also easily avoided, which is why I’d like to wrap up on a positive note. Companies are typically caught out by basic things. A robust staff training programme will eliminate many of your risks. Regular physical social engineering assessments will help you to measure your progress and ensure you stay on track.