… the whole world looks like a nail. I think this is especially true in the world of Security Assessment firms. Where we have the greatest expertise, we recognize the greatest risk and either explicitly or implicitly we communicate those risks to our clients. Over the last few years we have been working hard to broaden our skill-set (e.g., networking, application development, system administration, databases) to encompass as many areas of expertise as possible so that we are not guilty of spending all of our time looking for “nails” (the vulnerabilities we know how to recognize/exploit (as opposed to those that put them at the most risk)). A recent engagement was really eye opening and re-enforced to me how much of information security risk is non-technical in nature.
During a broad security assessment for a client in the governmental sector, we were asked to assess the physical security of three buildings, two of which would be considered high security. Physical Security and Social Engineering are two areas that our skill set is rapidly growing in – but I would not yet consider it one of our core practice areas. This is due to, in large part, the fact that the vast majority of our customers either do not consider it enough of a risk to check OR acknowledge that it is a problem. Subsequently, they believe testing its efficacy does not make sense to them. I have rarely argued this point with a client, however, that is about to change.
Based on our initial reconnaissance of the client’s site I thought we had a pretty good chance of getting into the building that was not highly secured. Entry through the front door was not likely, as you needed to be “buzzed” through two doors by a security guard, with the second requiring you to be badged and escorted. However, there was a smoker’s door on one side of the building, and a back door that was used by employees as a primary entrance if they were leaving or returning from another building on the campus. The last three doors mentioned were all monitored by video cameras, but based on previous experiences; we felt that we could create a fake employee badge of sufficient quality that a “tailgating” attack would be successful. As expected, a tailgating attack against the backdoor was successful (after a few clumsy attempts). Once inside, one of our social engineers gained access to sensitive data via empty cubicles, unlocked computers, unsecured BlackBerry’s, and network printers/copiers.
Where the testing got interesting was the attempts on the second building. This building also had a security guard at the front door and it had a side door that was used as an emergency exit. The first floor of the building was considered a “secure” area while the second floor, which housed the organization’s “command center”, was considered “highly secure.” During our preliminary reconnaissance we had noted a construction crew renovating a bathroom area. Slipping into a nearby phone booth one of our social engineers emerged as an appropriately badged township building inspector – complete with inspection paperwork, digital camera, and flashlight. The other social engineer, having already penetrated the first building with his fake badge, acted as the inspectors “escort” which we had learned was their policy.
As a construction worker emerged from the side door pushing a wheelbarrow full of debris – – the tandem entered through the door and into the construction area. After briefly “inspecting” the construction area – they slipped through a second door and into the “secured” first floor area. The “inspector” continued his inspection while his escort “cubicle surfed” his way to a wealth of sensitive data.
However, our goal was to gain access to the second floor. It became apparent that the only way to the second floor was to enter through the lobby that we had bypassed to get into the building. The lobby housed a staircase and elevator to the second floor, however both were key card secured and physically observed by the security guard. Needless to say they were concerned that the guard would realize that neither this “inspector” nor this “employee” entered through the front door of the facility. Not to worry – the guard was more interested in Google News than our social engineers. However, as they did not have a key card to open the stairwell or elevator – they were out of options. As they stalled by feigning note-taking, someone exited through the elevator. Neither the guard nor the employee noticed as they slid into the elevator and upstairs into the control center. The control center was “abuzz” with an issue – so our team was barely noted as they slipped into offices, conference rooms, and observed critical systems in the command and control area. After documenting the access with the camera in their iPhones – the team left via the elevator with a wave to the security guard. Could we go three for three?
The third building was a very secure underground data center. We had only been able to perform very limited reconnaissance of the building due to the high level of security/observation associated with it. On two previous walk bys we had only noted a single entrance which was key carded, man-trapped, and was directly observed by at least three security guards (hidden behind darkened glass). The entrance was also monitored by at least one video camera and we had been warned that the entrance was protected by a tailgating sensor. Lacking any “viable” avenue of attack we were reduced to trying a basic tailgating attack with the expectation of being immediately caught by a guard, the tailgating detector, an alert employee, or some combination of the three.
We took a break on a bench where we could observe the parking lot and building entrance. When an employee emerged from his car, pizza in hand, and headed towards the data center – our social engineers timed their arrival at the data center door to coincide with his. Concentrating more on keeping his lunch upright, than in complying with the organizations anti-tailgating policies, our team was able to tailgate him through the first two doors. The anti-tailgating device triggered, but to our surprise, the security guards did not appear to notice. The initial sense of accomplishment quickly dimmed as they did not reach the next door in time to catch it before it closed. They now found themselves in a short hallway with only two cardkey secured doors that would yield further access. Worse, they were in full view of the security guards separated by a few inches of bullet-proof glass. Pausing to make a phone call was the only stalling option. It paid dividends as a maintenance worker emerged from the key carded stairwell and held the door as they slithered down the stairs.
Two full flights of stairs later we were on the data center level which was further divided into four secured areas, all requiring card key and biometric (handprint) authentication. The level was also fully covered by security cameras so our “inspection” continued as we tried to determine our next line of attack. As a worker emerged from one of the biometric enabled doors he cast a wary eye at us and pushed the door closed behind him. After 10 full minutes, and several more wary employees’ stares, we assumed we were running out of time before security came calling. Emboldened, we rang the video enabled buzzer at one of the doors and were challenged by the person, not visible to us, on the other end of the line.
Our “employee” held his badge to the camera and explained his need for access, which related to the build out of another secure data center in a remote area in the Rocky Mountains. He was at the main facility to see how they “did things” here so they could do the same there. The conversation was peppered with enough names we had gathered via other reconnaissance activities (including an org chart we had photocopied in the “command center”) and supposed “confidential” knowledge of the Rocky Mountain data center (we had overheard that tidbit at the local Starbucks) that we sounded legitimate. The last hurdle was the inspector. Our “employee” explained that although the inspector was a local inspector, he was also certified in the building codes for the Rocky Mountains as he previously lived there. After a slight pause, the door buzzed and we were in the data center. As per the rules of our engagement … we placed a business card on handle of one of the server racks and immediately exited the facility.
Suddenly I have a different hammer in my tool belt – and the entire world is a new type of nail. If we can gain access to two highly secured facilities in a single day, what is the likelihood that the security that we find in corporate America or local government facilities is sufficient to deter a determined individual? Once inside the perimeter of a building – the millions of dollars spent on information security is quickly bypassed by simple “non-technical” measures. Stealing a laptop or using a physical keystroke logger doesn’t require much mental horsepower.
So the next time we sit down to plan a security assessment together – you will have to forgive me for arguing a bit when you tell me that physical security and social engineering are out of scope.