Today’s businesses typically devote many resources towards ensuring the logical security of their information systems. However, the devastating effect of even a single security breach also requires these organizations to consider their physical security, which they often overlook. Physical social engineering assessments evaluate a company’s ability to prevent unauthorized physical access of assets on their premises or to prevent someone from taking an unauthorized action based on someone requesting it in person. Experienced consultants can provide their clients with a great deal of information regarding their physical security. This aspect of social engineering is becoming increasingly popular in the U.S., but only a few consultants have the expertise needed to conduct this increasingly important assessment.
A physical social engineering test assesses the difficulty that an attacker would have in the people component of an organization to access an organization’s physical premises, generally for the purpose of obtaining sensitive information or control over internal systems or to get them to perform an action (sending a message, canceling a service, providing a refund, providing confidential information) that may not be in their best interest. It also includes advice on ways to mitigate these threats, which organizations often overlook when developing their information security strategy.
A physical social engineer’s job is to get a target to take an action that may be in the companies best interest, such as allowing physical access to an organization’s premises by convincing someone to admit them or by bypassing people controls (i.e., tailgating into a building) and performing a series of predetermined tasks that assess the organization’s physical security posture. The goal of these tasks is typically to obtain network access, often by planting devices that the attacker can operate remotely, to obtain access to a sensitive area of the building or to get a person to take an action. A physical social engineer also attempts to gather evidence of an organization’s security vulnerabilities in real-time. This evidence could include the presence of sensitive information left in the open, workstations left logged on, and clean desk policies.
The most challenging aspect of physical social engineering is convincing clients that physical social engineering is just as important to security as penetration testing. Mature organizations often conduct penetration testing of both their application and network security on a regular basis without ever assessing their physical security. The primary reason for this disparity is that the consultants who test security typically have expertise in logical security rather than physical security, so they simply aren’t capable of performing these tests. Furthermore, cyber security organizations usually don’t offer physical social engineering services, giving their clients the impression that their current measures are adequate for protecting their network and data.
The intense focus that many organizations currently have on protection against malware attacks is certainly justified, but it often causes them to overlook physical security. Malicious actors can freely walk through the front doors of many facilities by simply posing as a client or maintenance worker, allowing them to bypass physical deterrents like keycard locks. They can then compromise the organization’s information system in a variety of ways once inside the facility. A physical social engineering assessment thus shows that physical security is often the most vulnerable part of a company’s security posture.
People are usually the weak link in any cyber security strategy. For example, someone who looks like they belong in the facility can often persuade staff members to allow them into a secure area without providing the required credentials. This practice is one of the most common methods of obtaining sensitive information, meaning that training in company policies and procedures is one of the most effective methods of improving physical security.
Physical, social engineering assessments are moving away from the rigid methodologies that traditional security companies have performed in the past. Providing the benefits that clients expect today requires social engineers to use a more realistic approach that actual attackers would use.
Once an assessment is scheduled, a social engineer will review the client’s website and other publicly available data. The purpose of this process is to develop an initial opinion of the challenge to expect when attempting to compromise the facility’s physical security. Some clients also want a spot check of the first steps the engineer will take, along with an explanation of common risks. The steps for performing a physical social engineering assessment also depend on whether the client is receiving its first physical assessment or is already in the process of honing its policies and procedures through regular assessments.
The methodology that a social engineer uses to test a client’s physical security consists of multiple phases, including data collection, reconnaissance, remote attacks (optional), pretext creation, the execution, report creation. Some clients will choose to provide some information to the social engineer to reduce the amount of data collection that is needed and ultimately reduce costs, i.e., dress codes, the approximate location of a target within a building, front desk procedures, company policy information, or things like everyone is remote on Friday.
Open-source intelligence (OSINT) is a key part of the process for gathering data on a client. The types of OSINT that are most valuable in social engineering include building images, company officer names, paid services, DNS records, and NMAP data. Social media platforms and search engines are indispensable tools for discovering information about a company that automated search programs will miss. For example, tools like Spiderfoot have large data sets, but it requires a manual search to compile an employee list from LinkedIn.
Social engineers must also perform reconnaissance before attempting to enter a building for the first time. This step typically involves covertly surveilling the facility to identify traffic patterns, dress codes, vendors that visit the location, where employees may prop doors open and assessing front desk procedures. Reconnaissance may include monitoring of the facility's Wi-Fi network, provided a sufficiently strong signal is available from a discrete location. A walk around the perimeter of the building may reveal a break in the fence that the engineer can use to access the site, often for the purpose of dumpster diving.
Occasionally, a social engineer performs remote attacks to obtain confidential information about a building—especially email phishing, spear phishing, and telephone vishing - or to assist in developing their pretext. Attackers are moving away from email and towards phone calls as a means of obtaining sensitive information due to the common perception that a call is sufficient to authenticate someone. The types of attacks that RedTeam Security uses include phishing emails and vishing to obtain information from staff members and convince them to perform actions that compromise security.
These techniques usually provide beneficial results, such as access to Exchange accounts and third-party software. Obtaining access to a SharePoint account used to onboard new employees is particularly useful for getting acquainted with the company.
Using the information collected, the social engineer will develop multiple pretexts to be used to attempt to accomplish the goal set with the client. These may include things like posing as a client to attempt to obtain a refund without proper documentation, attempting to gain access to a building through an open door by spending time in an outdoor break area, posing as a vendor or attempting to tailgate. These pretexts will be shared with and approved by the client contacts. The social engineer will also gather the props needed to support the pretext (access badge that does not work, appropriate costume, etc.)
Once on-site the social engineer will put the pretext into action. While on-site they may gain additional information while talking to employees or observing other details previously unknown to the social engineer and use this information to move forward to accomplish their objectives. The social engineer will attempt to take photos, videos, or other evidence to be presented in a report to the client. Lastly the social engineer will attempt to leave the premises safely.
Creating a comprehensive report is a critical part of the engagement. It provides the client with the details of the process, the information gathered, the results and observations of the social engineer, any photos taken and any recommendations. This will be used to create a plan for improving training, updating procedures and making any structural changes.
A social engineering test should result in a list of actionable items that reduce the likelihood of successful cyberattacks. These steps often begin with basic improvements and progress to more advanced, customized solutions over time.
Multi-factor authentication (MFA) is a common way for immature organizations to improve their protection against cybercriminals. This approach requires an individual to provide multiple login credentials or factors before they can access a restricted area. Factors can include knowledge, possession, or inherent property. Knowledge is something only the user knows (Like a password), a possession is something only the user has (Like a phone or token generating device), and an inherent property is something only the user is (Like a fingerprint).
A follow up engagement will allow the social engineer to check improvements in security and training.
RedTeam Security’s social engineering tests assess your people, processes, and procedures. Our tests for breaching physical safeguards include email phishing, telephone vishing, baiting, pretexting, and onsite visits. The goal of our social engineering assessment is to simulate an attack by a malicious attacker for the purpose of discovering vulnerabilities in physical security that a real hacker could exploit with scams.
This process provides valuable insight into an organization’s security posture in addition to the actions needed to address any vulnerabilities. In addition to the initial remediation measures, it’s also important to conduct social engineering tests on a recurring basis. Hackers are continually developing malicious software as they discover new vulnerabilities. RedTeam Security remains on the cutting edge of the latest trends in social engineering instead of relying entirely on a DIY approach.
Despite the changes in technology that criminals use to exploit their targets with techniques like ransomware, many social engineering techniques are still old school. These include the simple process of chatting with a receptionist to obtain information visitors shouldn’t have. RedTeam’s Security’s testing process also provides your organization with the information it needs to educate end-users on security awareness, which can be a highly effective means of preventing a data breach.
Our social engineering testing can highlight problems that will prevent a security breach from occurring in the future. As they say, “the best offense is a good defense.” For a free consultation with a cyber security expert today, contact us today at 612-234-7848.