The Biggest Security Vulnerability – People
The role of Security at AEI is to understand, document, predict, and establish security controls for potential vulnerabilities our clients may face. Over the course of two decades, AEI team has amassed technological, mechanical, and architectural tools that allow AEI to exploit, document and teach clients how to avoid security vulnerabilities. AEI’s Security experts conduct security assessments, which quite often involve penetration testing/red-team exercises with the sole purpose of testing a client’s building security by revealing these vulnerabilities.
This blog post describes the biggest vulnerability to any organization – social engineering. It’s the art of manipulating individuals into trust, convincing them to provide confidential information. Social engineering is not new. It is a vulnerability in plain sight that is growing at an exceptional rate. Evangelized by information technology scams (phishing and baiting via email), social engineering is tradecraft – used by law enforcement, spies, salesmen, and con-artists to build rapport and trust rapidly. If a remote attacker can build rapport/trust via an e-mail, how successful would an in-person encounter with a social engineer be?
Social engineering is part of the security testing AEI deploys to rapidly and effortlessly gain access to buildings. There is really nothing particularly exotic about this type of vulnerability, and organizations do a horrible job at educating employees on how to detect, and ultimately shut down, a social engineer attack. The following is one story from a myriad of narratives where AEI has successfully compromised building security.
Behind the Scenes: Prepping for a Social Engineering Test
Any security assessment begins with a client identifying the scope of targets they want to protect/test. For this engagement, AEI’s red team was to compromise building perimeter security, gain access to a telecom closet, and finally, gain access to a server area.
A penetration test process begins with reconnaissance: Google Street View™ where we gain information about the target’s hours of operations, entrance points, and vehicle circulation.
Secondly, props: any social engineer in a foreign environment requires social engineering queues to subconsciously disarm people. This could be a polo with a company logo, ID card, information about employees, fake bill of lading, or simply a service request ticket. These types of props are easily developed with commercially available services/portable inkjet printers. They provide a believable reason the social engineer is present in the foreign environment. The pretext is a crucial factor in building rapport and gaining access to the target property. The social engineer approaches the pretext with arrogance, urgency, excitement, personal gain, or sympathy. Sympathy is the most effective approach – “you catch more flies with honey than vinegar.”
Behind the Scenes: Engagement Phase
On this engagement, the client is with the AEI assessor in the car. Inquisitively and eagerly they ask, “what tools do you have with you?” They respond, “Some shims,” and proceed to show him a series of plastic cards, and the assessor notes their dissatisfaction with the reply. After watching one of the building entrances for some time, the client asks “so, when will you make an attempt?” Looking at the clock, and noting the time is 9:30 a.m., they head over to a local Starbucks and purchase 8 Venti coffees with carriers and an assortment of muffins and pastries. Upon returning to the site, the assessor approaches a patio that has tables and chairs that are immediately adjacent to the building. Opening a laptop, they connect a hot-spot and browse the company’s social media sites. Immediately, they are presented with pictures from a recent company charity and begin to think about possible pretexts, wearing a polo with the target company’s logo prominently displayed.
Approximately 1.5 hours later, a rush of employees come out of the building. The assessor appears to work studiously and notices a business professional sit at the same table. They praise the professional’s selection of a wristwatch –“beautiful watch, where did you get it?” As they build rapport with this individual, they learn about where they live, the department they work in, projects they are working on and what their spouse does. The assessor learns they love dogs and running -recently participating in the previous company charity/marathon event. Now knowing pretext, AEI can launch into the engagement phase when rapport has been built. Rapport is measured by analyzing the person’s tone, vocal intensity and most importantly, body language. Once the assessor has rapport, they ask for simplistic requests, such as: “So, how did you like the event? What did you like about it, did you bring your spouse, did you bring your dog?” These questions lead up to the ultimate goal: a favor.
Emphasizing rapport, establishing physical contact, and gently touching their shoulder is a method to reaffirm praise for their involvement in the charity. Approximately, 10 minutes before noon, the phone rings (it’s a timer on the phone that sounds like a phone ringer). Answering, “Yes, hello, okay. Mr. Linew, I’ll be right up.” (Always making sure the person heard the name of the prominent executive, well known in the organization.)
After the call, the person asks – “Wow, you know Mr. Linew?” “Yes, we’re working on another marathon – raising money for an animal shelter that is having financial difficulties. We are meeting on it in a few minutes.” Concluding the conversation, the assessor stacks the coffee cups, grab the bags and backpack, and exhibits body language, demonstrative of frustration and clumsiness. While walking to the door from the patio into the building, the target rises and says, “let me help you with that.” He presents his access control card, followed by an audible tone and click as the door unlocks. Deliberately, the assessor pushes their hip towards the reader, and the door reads an unauthorized access control card for our AEI office. The access control reader responds with a tone (for ADA), but the click is absent – affirming to the target that the assessor has access to the building.
While walking in, the phone “rings again.” Answering “Hello, yes Mr. Linew -- sounds good, see you soon.” The assessor talks with the subject, as the bag of muffins get placed on an adjoining table, the bystander intuitively follows the action and places the coffee down. They turn back while walking away, “Hey, if you need any help with that charity event, I would be willing to help.” The subject leaves. Taking a Starbucks coffee and leaving the muffins in the pantry area, the assessor seeks out the telecom room and server area, which they find and ultimately access. AEI’s assessor was able to successfully breach and enter not only the building, but the main server room, calling the security practices of this company into question.
Future Implications of Social Engineering
The impact of technology makes the vulnerability of social engineering even greater. Our thrust for convenience is security’s biggest risk to a security program. One of the biggest controls of social engineering is the identification (ID) card. It is a physical component that a social engineer must duplicate, delaying an attack process.
However, most organizations struggle to get employees to carry an ID card. Enter, mobile credentials or biometrics. The use of these credentials will make social engineering easier and more prominent because the convenience of the credentials will further diminish security awareness. As information technology awareness programs enhance, and phishing (a form of remote social engineering) erode, attackers will look to compromise these assets directly at the building. The best and most cost-effective control to social engineering is a pervasive and aggressive training program, which is intended to highlight the greatest vulnerability to any organization and its assets – people and susceptibility to hacking.