Social Engineering: 5 Security Holes at the Office (Includes Video)

We poked around a secure building with social engineering expert
Chris Nickerson and found several ways a criminal could get inside and
access sensitive data

If you think the biggest threat to your sensitive information lies in
network security, think again. Once a criminal is inside a building,
there are limitless possibilities to what that person can access or
damage. Take a look at your building's security. How easy is it to get
inside?

We spent an afternoon with social engineering expert Chris
Nickerson, founder of Lares, a security consultancy based in Colorado,
to get an idea of some of the key vulnerabilities a criminal looks for
in building security. Lares specializes in what Nickerson calls 'Red
Team Testing,' a method that gauges risk in real environments. In other
words, he and his team are hired to break into buildings and find out
where the security gaps lie (Read Chris' first-hand account of how he
does it in Anatomy of a Hack).

Our goal for the day was to choose a building at random and find ways a
con artist might be able to get inside the facility and pretend to be
an employee. Once someone is inside, posing as a legitimate worker,
their potential to steal data, hack a network, or commit some other
crime is high. Yet most offices, even the most secure, have holes, said
Nickerson.

"One of the big problems with offices is you can get into them because, by design, you have to go to work," said Nickerson.

Of course, security needs will vary from building to building. And
security and facility managers have to make their own individual
determinations about what kind of safeguards they should put in place.
But with Nickerson, we aimed to point out some of the things a social
engineering criminal will look for when trying to get in some place
they have no right to be (Check out the video for Chris' walk-through
of the building).

First Impressions

We headed to a building near CSO headquarters to see what we could
find. We chose the building from one of several options in the area
that we knew had a secured entrance and that required identification to
get inside. Immediately upon walking onto the property, Nickerson
pointed out that the first vulnerability is lack of external camera
coverage.

"I could be lurker-stalker guy and hang out in woods, beat someone's
badge out of them or steal something," he said "Or set up cameras to
profile the facility and there are all sorts of really nifty places to
hide in."

Power Supply

The next place Nickerson headed was the building's generator.
The generator on the property was not caged or protected externally in
any way. Nickerson approached the generator and opened it with ease
because it was unlocked. In addition to the obvious gap this leaves in
a building's business continuity/disaster recovery plan, Nickerson also
pointed out how the generator can be used in a social engineering scam.

"It is pretty obvious, now that we see a generator, that there is a
data center inside. It's pretty easy to deduce that they have things
that have to stay running," he said. "So if we cut the power here,
you'll have full corporate denial of service. Everybody freaks out and
then you walk in while everybody is freaking out and steal things."

(*Note: Snooping around the generator did catch the attention of the
facilities manager at the building we were assessing. A few minutes
after Nickerson opened the generator, the facilities manager came out
and spoke to us. But according Nickerson, anticipating questions from
authority is just part of any good social engineer's preparation. Read
an accountant of how Nickerson handled our one-on-one confrontation,
and how easy it was for him to get what he wanted in The Fine Art of BS, Face to Face).

Entryways

Our tour continued with a check of the back of the building, where
Nickerson quickly spotted a smoking section. It was clear the area is
used for smoking breaks because there was a standing ashtray filled
with used cigarette butts. A common tactic for entering a secured
building unseen is to hang out in the smoking area and wait to be let
in by an unsuspecting employee.

"A social engineers best friend is a cigarette," said Nickerson.

A cigarette wasn't even necessary to get into the building at this
facility. The back door was unlocked, unguarded and it was very easy to
open it and walk into the building.

Parking Lots

We didn't go poking around the cars in the parking lot, but
Nickerson said opening unlocked cars is part of his Red Team
assessment, and also another common social engineering strategy.

"People always leave their cars unlocked and there are always badges
and other stuff in there. It's a good place to get in and get all the
credentials you need."

Trash Compactor

Our aim was to find ways a criminal could possibly enter the
building and pull off a theft or other kind of security breach. But as
Nickerson pointed out, the facility's trash compactor brings the
sensitive information outside and more directly into the hands of a
thief.

"Because they are compactors, it usually means they hold five times the
amount of sensitive and bad stuff because they take forever to get
emptied," he said.

A savvy criminal could rent a vehicle that looks like a legitimate
business van or car, such as a generic white van, park next to the
compactor, and "shovel it in," he said. Some even go as far as to make
a decal with a business logo that can be affixed to the side of the
vehicle so no one will question why the compactor is being emptied.

Technology makes it easier than ever for someone to pose as someone
they are not. It is simple now to go to a copy shop or graphics store
and produce a business decal that looks legitimate. However, one of
Nickerson favorite ways to prep for an assignment is at a good,
old-fashion pawn shop. He looks for, and often finds, shirts and
uniforms with company logos that can be used in an assessment test.

"You look at the facility and get an idea of what some of the outs
are: the sprinkler and lawn care service, the trash service, the
internal cleaning services. Try and get a profile of what they look
like. Then go thrifting that day looking for things. Fifty to sixty
percent of the time I will find them."