Could a stranger walk into your server room and walk out with a firewall?
Before answering, all CIOs and CSOs reading this should sit down, take a deep breath and I’ll let a guy explain how he did it.
“I researched when the shift change took place – the day time receptionist left at 6 p.m. and a security guard would take over,” he said in a telephone interview on Thursday. “So I decided to show up at the office change-over, hoping it would be more vulnerable then. I claimed to be an engineer who was looking at a problem with their Internet connectivity. The receptionist and guard were good, and said I couldn’t come in without a proper appointment.
“So I went for something to eat and thought about it, and rang up reception, and by this time the receptionist had gone home, and I impersonated the head of IT. I’d looked him up on LinkedIn and knew who he was. So I said, ‘I sent out an engineer to fix this problem without our Internet connection. It’s going to give us real problems tomorrow if it ain’t fixed … I sent an engineer out, his name is Peter Wood, he’s a good guy. If I sent him back would you let him in?’”
The guard said yes, apologized, let Wood in, escorted him to the server room, opened the door. “I went in carrying an empty bag, which I pretended carried my laptop and tools, and five minutes later walked out with the firewall in my bag.” – which he handed over to the person who hired him for the snatch.
Fortunately, Peter Wood is CEO of Britain’s First Base Technologies, which specializes in Red Team attack simulations, penetration tests and security awareness. His client, the IT manager at a law firm, had challenged him to steal the firewall.
Last week Wood, who has been in cyber security for 27 years recounted stories like that to at CSX Europe cyber security conference in London staged by ISACA, an association that certifies information system auditors and security managers.
An employee of Wood’ firm went to the head office of a retail company and pretended to be an employee. The badge entry system was too good to fool, so the man phoned the receptionist and claimed to be a new employee who’d left his bade at home. The receptionist said to see her when he came in. She gave a temporary pass – without checking his ID or human resources to verify his identity. “He then let in a colleague as a visitor,” said Wood, “And the two of them spent a week checking in and checking out.” They got initial access to the corporate network by guessing a password, then worked their way up to domain administrative privileges, accessed the email of C-level executives and the board.
A private laboratory that did forensics work for police departments, (a likely target for organized crime) which also had a life sciences division (might by a target of animal rights activists) retained Wood’s team for a test. They first mounted a spear phishing campaign against certain employees to get their network logins. “We achieved I think it was 42 different usernames and passwords on the pretext we were the company’s IT department and we were asking them to check that their credential worked with a new Web portal.”
To check physical security a staffer posed at a branch as a telecom technician without an appointment looking into a communications fault between buildings. A colleague to convince receptionist by phone the visit was real. Once inside he plugged a laptop into the network and used the stolen credentials to prove he could steal information.
Meanwhile another Wood staffer set up a fake Web site purporting to be a magazine about corporate social responsibility and charity work. Posing as a freelance reporter working for the site she arranged an interview with a colleague at the lab’s office to talk about the firm’s charitable work. At one point the second person excused themselves to go to the bathroom. While out he accessed the lab, proving a visitor could have destroyed evidence or corrupted evidence.
“Despite all the cyber security publicity theses days people still think (an attacker) is a guy in a basement using the Internet,” Wood said in the interview, “but the real threat to a business is a well-designed attack by a criminal gang or nation-state or a group of disaffected individuals who only need to use human psychological skills to break through defences,” Once in security “falls like dominoes.”
One of the prime lessons from these and other Red Team exercises is the importance of physical security to back up IT security. “Security guards and receptionists are, unfortunately, very easily fooled,” Wood said. “It’s always a vulnerable point” despite technical controls such as employee badges and turnstiles.
Physical security can be toughened by having a strong visitors policy which includes a formal approval process for visitors – particularly in branches – with no unscheduled people allowed in unless the receptionist can speak in person to an internal contact. Visitors must be accompanied at all times, including waiting outside a washroom. Sensitive work areas such as laboratories should be locked when empty and checked regularly. Staff also need to be reminded about properly storing sensitive papers, and told they have an obligation to report suspicious people on site.
People are an organization’s biggest vulnerability, Wood agreed – but they also can be it’s biggest defensive asset if properly trained. However, he criticized enterprises for being very poor at explaining the need for security rules and policies. “The security industry is still populated with people who think they can just use a big stick and tell people, ‘These are the rules, do this you’re fired,’” he said.
The biggest mistake trainers make is not explaining by using stories relevant to the organization. “Most awareness campaigns don’t have stories. Use real examples of security failures and successes from the company to make a point, he advises.
Finally, Wood tells organizations their security should be based around assessing real threats rather than “blunderbuss” mass spam. So, for example, the forensics lab has to ensure workstations need multi-factor authentication to protect trial evidence from being tampered with.
Wood also has one more story to tell: This week his firm was victimized after sending two smart devices by courier service to a distant city. Only one device showed up at the destination. Because two couriers were used, it can’t be proved who was responsible. Lesson: Don’t send valuable material in only one parcel, and use a courier service that delivers door to door.