June 15, 2009, 9:55 AM — If you think the biggest threat to your sensitive information lies in network security, think again. Once a criminal is inside a building, there are limitless possibilities to what that person can access or damage. Take a look at your building's security. How easy is it to get inside?
We spent an afternoon with social engineering expert Chris Nickerson, founder of Lares, a security consultancy based in Colorado, to get an idea of some of the key vulnerabilities a criminal looks for in building security. Lares specializes in what Nickerson calls 'Red Team Testing,' a method that gauges risk in real environments. In other words, he and his team are hired to break into buildings and find out where the security gaps lie (Read Chris' first-hand account of how he does it in Anatomy of a Hack).
Our goal for the day was to choose a building at random and find ways a con artist might be able to get inside the facility and pretend to be an employee. Once someone is inside, posing as a legitimate worker, their potential to steal data, hack a network, or commit some other crime is high. Yet most offices, even the most secure, have holes, said Nickerson.
"One of the big problems with offices is you can get into them because, by design, you have to go to work," said Nickerson.
Of course, security needs will vary from building to building. And security and facility managers have to make their own individual determinations about what kind of safeguards they should put in place. But with Nickerson, we aimed to point out some of the things a social engineering criminal will look for when trying to get in some place they have no right to be.
We headed to a building near CSO headquarters to see what we could find. We chose the building from one of several options in the area that we knew had a secured entrance and that required identification to get inside. Immediately upon walking onto the property, Nickerson pointed out that the first vulnerability is lack of external camera coverage.
"I could be lurker-stalker guy and hang out in woods, beat someone's badge out of them or steal something," he said "Or set up cameras to profile the facility and there are all sorts of really nifty places to hide in."
The next place Nickerson headed was the building's generator. The generator on the property was not caged or protected externally in any way. Nickerson approached the generator and opened it with ease because it was unlocked. In addition to the obvious gap this leaves in a building's business continuity/disaster recovery plan, Nickerson also pointed out how the generator can be used in a social engineering scam.
"It is pretty obvious, now that we see a generator, that there is a data center inside. It's pretty easy to deduce that they have things that have to stay running," he said. "So if we cut the power here, you'll have full corporate denial of service. Everybody freaks out and then you walk in while everybody is freaking out and steal things."
(*Note: Snooping around the generator did catch the attention of the facilities manager at the building we were assessing. A few minutes after Nickerson opened the generator, the facilities manager came out and spoke to us. But according Nickerson, anticipating questions from authority is just part of any good social engineer's preparation. Read an accountant of how Nickerson handled our one-on-one confrontation, and how easy it was for him to get what he wanted here.)
Our tour continued with a check of the back of the building, where Nickerson quickly spotted a smoking section. It was clear the area is used for smoking breaks because there was a standing ashtray filled with used cigarette butts. A common tactic for entering a secured building unseen is to hang out in the smoking area and wait to be let in by an unsuspecting employee.
"A social engineers best friend is a cigarette," said Nickerson.
A cigarette wasn't even necessary to get into the building at this facility. The back door was unlocked, unguarded and it was very easy to open it and walk into the building.
We didn't go poking around the cars in the parking lot, but Nickerson said opening unlocked cars is part of his Red Team assessment, and also another common social engineering strategy.
"People always leave their cars unlocked and there are always badges and other stuff in there. It's a good place to get in and get all the credentials you need."
Our aim was to find ways a criminal could possibly enter the building and pull off a theft or other kind of security breach. But as Nickerson pointed out, the facility's trash compactor brings the sensitive information outside and more directly into the hands of a thief.
"Because they are compactors, it usually means they hold five times the amount of sensitive and bad stuff because they take forever to get emptied," he said.
A savvy criminal could rent a vehicle that looks like a legitimate business van or car, such as a generic white van, park next to the compactor, and "shovel it in," he said. Some even go as far as to make a decal with a business logo that can be affixed to the side of the vehicle so no one will question why the compactor is being emptied.
Technology makes it easier than ever for someone to pose as someone they are not. It is simple now to go to a copy shop or graphics store and produce a business decal that looks legitimate. However, one of Nickerson favorite ways to prep for an assignment is at a good, old-fashion pawn shop. He looks for, and often finds, shirts and uniforms with company logos that can be used in an assessment test.
"You look at the facility and get an idea of what some of the outs are: the sprinkler and lawn care service, the trash service, the internal cleaning services. Try and get a profile of what they look like. Then go thrifting that day looking for things. Fifty to sixty percent of the time I will find them."