Social Engineering: 5 Security Holes at the Office

Once a criminal is inside a building, there are limitless possibilities to what that person can access or damage.

If you think the biggest threat to your sensitive information lies in network security, think again. Once a criminal is inside a building, there are limitless possibilities to what that person can access or damage. Take a look at your building's security. How easy is it to get inside?

We spent an afternoon with social engineering expert Chris Nickerson, founder of Lares, a security consultancy based in Colorado, to get an idea of some of the key vulnerabilities a criminal looks for in building security. Lares specializes in what Nickerson calls 'Red Team Testing,' a method that gauges risk in real environments. In other words, he and his team are hired to break into buildings and find out where the security gaps lie (Read Chris' first-hand account of how he does it in Anatomy of a Hack).

Our goal for the day was to choose a building at random and find ways a con artist might be able to get inside the facility and pretend to be an employee. Once someone is inside, posing as a legitimate worker, their potential to steal data, hack a network, or commit some other crime is high. Yet most offices, even the most secure, have holes, said Nickerson.

"One of the big problems with offices is you can get into them because, by design, you have to go to work," said Nickerson.

Of course, security needs will vary from building to building. And security and facility managers have to make their own individual determinations about what kind of safeguards they should put in place. But with Nickerson, we aimed to point out some of the things a social engineering criminal will look for when trying to get in some place they have no right to be.

First Impressions We headed to a building near CSO headquarters to see what we could find. We chose the building from one of several options in the area that we knew had a secured entrance and that required identification to get inside. Immediately upon walking onto the property, Nickerson pointed out that the first vulnerability is lack of external camera coverage.

"I could be lurker-stalker guy and hang out in woods, beat someone's badge out of them or steal something," he said "Or set up cameras to profile the facility and there are all sorts of really nifty places to hide in."

Power Supply The next place Nickerson headed was the building's generator. The generator on the property was not caged or protected externally in any way. Nickerson approached the generator and opened it with ease because it was unlocked. In addition to the obvious gap this leaves in a building's business continuity/disaster recovery plan, Nickerson also pointed out how the generator can be used in a social engineering scam.

"It is pretty obvious, now that we see a generator, that there is a data center inside. It's pretty easy to deduce that they have things that have to stay running," he said. "So if we cut the power here, you'll have full corporate denial of service. Everybody freaks out and then you walk in while everybody is freaking out and steal things."

(*Note: Snooping around the generator did catch the attention of the facilities manager at the building we were assessing. A few minutes after Nickerson opened the generator, the facilities manager came out and spoke to us. But according Nickerson, anticipating questions from authority is just part of any good social engineer's preparation) ---pb--- Entryways Our tour continued with a check of the back of the building, where Nickerson quickly spotted a smoking section. It was clear the area is used for smoking breaks because there was a standing ashtray filled with used cigarette butts. A common tactic for entering a secured building unseen is to hang out in the smoking area and wait to be let in by an unsuspecting employee.

"A social engineers best friend is a cigarette," said Nickerson.

A cigarette wasn't even necessary to get into the building at this facility. The back door was unlocked, unguarded and it was very easy to open it and walk into the building.

Parking Lots We didn't go poking around the cars in the parking lot, but Nickerson said opening unlocked cars is part of his Red Team assessment, and also another common social engineering strategy.

"People always leave their cars unlocked and there are always badges and other stuff in there. It's a good place to get in and get all the credentials you need."

Trash Compactor Our aim was to find ways a criminal could possibly enter the building and pull off a theft or other kind of security breach. But as Nickerson pointed out, the facility's trash compactor brings the sensitive information outside and more directly into the hands of a thief.

"Because they are compactors, it usually means they hold five times the amount of sensitive and bad stuff because they take forever to get emptied," he said.

A savvy criminal could rent a vehicle that looks like a legitimate business van or car, such as a generic white van, park next to the compactor, and "shovel it in," he said. Some even go as far as to make a decal with a business logo that can be affixed to the side of the vehicle so no one will question why the compactor is being emptied.

Technology makes it easier than ever for someone to pose as someone they are not. It is simple now to go to a copy shop or graphics store and produce a business decal that looks legitimate. However, one of Nickerson favorite ways to prep for an assignment is at a good, old-fashion pawn shop. He looks for, and often finds, shirts and uniforms with company logos that can be used in an assessment test.

"You look at the facility and get an idea of what some of the outs are: the sprinkler and lawn care service, the trash service, the internal cleaning services. Try and get a profile of what they look like. Then go thrifting that day looking for things. Fifty to sixty percent of the time I will find them."

Join the CSO newsletter!

Error: Please check your email address.

Tags physical securitysecurityCSO

More about etwork

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place