Would a criminal be able to walk into your building and steal private information? You hope the answer is “no”, but there are only a few ways to try to keep your business secure. Pratum has a solution for that; it’s called Social Engineering.
Essentially how this works is a business hires Pratum to test their physical security. In some cases, that means going to the business location and trying to enter the building or attempting to find sensitive information around the facility.
For each assignment there are two Pratum employees directly involved in the process. One does the physical entry work, while the others set up the parameters with the client to establish boundaries and expectations. In this blog we are interviewing one person who helps set up these tests, Tony Schwarz, Information Security Consultant. We’ll also hear from someone with a lot of experience testing physical security, Tanner Klinge, Information Security Analyst.
What are some methods of physical social engineering?
Tanner: I typically do dumpster diving and facility access. I use tailgating, where I follow someone without their knowledge into the building without a keycard or code to get in myself. Other times I will use piggybacking, which is where someone lets me into building by holding the door open for me because my “hands are full” or they are being polite. Sometimes I imitate a vendor or friend of an employee to get into the building. I do media drops, like flash drives left around the office or outside the building. I also check exterior doors to see if they’re locked.
When would a company need to use these services?
Tony: It’s all about their risk. If they have assets they need to protect, which most businesses do, they need to have those services done. They may see indicators that tell them that people are dumpster diving or trying to get in after hours, or see unexpected people going through the office. Having a third-party come in and test the controls that can show you what needs improvement. If you protect the money or personal information of customers, or if you have access to another location with sensitive data, you may need this.
Sometimes it’s due diligence. Sometimes it’s regulatory or compliance. Some auditors will request a social engineering report.
What sort of things have been uncovered in these tests?
Tanner: During dumpster diving outside offices I have found a lot; driver’s license numbers, social security numbers, addresses, full names, birthdays, personal banking information such as bank account numbers, pin numbers, and account totals.
I have found confidential or sensitive information from a business standpoint, like proprietary designs from a company. I’ve seen sales and finance information and HR documents.
There’s also been more personal stuff like child support documentation. Really all kinds of things!
How do you avoid being detected?
Tanner: There are times I will wear small disguises such as safety glasses or a fake badge that is visible. It depends on what I know about the company that I can use to blend in with the other employees. I’ve noticed people have a hard time engaging with others. People still don’t “see something, say something”. As long as I’m walking in with confidence people don’t question it. Most people do not like confrontation.
Are there safeguards for if you do get caught? To prove you’re there with permission.
Tanner: We’ve started talking to local law enforcement in the jurisdiction of the clients we serve. Then we notify police when and where we’ll be working. We will also carry ID and a statement of work (or contract with the company). Plus, we have a point of contact with the client, in case we need to reach someone to prove we are who we say we are.
What changes have employers made after our testing?
Tony: Some organizations will add or improve security controls related to the method Pratum is able to get into the environment. After events like this clients may either upgrade controls, or they accept the risk. An example control could be another layer of security between a reception area and the main part of their business.
How often should this be done?
Tony: At least annually, or more frequently if you have lots of things that were discovered, and you want to validate that your new protocols are working. It comes back to the risk. If you have a big room of gold or nothing, where on that scale are you? The more you have to lose, the more you have to do to put controls in place.
What does the client receive after a test? What is on a social engineering report?
Tanner: The clients are given photos and a synopsis. The photos are taken when I’m at the facility. They are proof of how far I was able to get and what I had access to. The report, or synopsis, details where I went and who I talked to. I try to be very detailed and give a chronological report. I want the reader to feel like they were there with me, to fully understand the situation.
What is the best result from these tests?
Tanner: I would need to be stopped at the door and approached by an employee. Someone should stop me in the first few minutes. Validation is key.
For example, I was at a bank and claimed to be a maintenance worker doing some work for the facility manager. I told the clerk a different name than my own. I looked around and said I needed to get behind a counter. I had a fake work order in hand to look legitimate. They did ask for my ID, so I handed over my real driver’s license, with a different name than what I told them. They made a copy, gave it back to me, and I signed the sign-in sheet. No one checked to see that the driver’s license didn’t match what I told them. I was able to get behind the counter where the money safe was at and had access to the network closet.
Tony: I would hope that management has more information on what choices they should make on how to run their business. At the end of the day it’s up to management to either accept the risk or spend money and time to make changes to reduce the risk. It really just depends on what they’re dealing with and the culture of that organization.
Final Notes from Tanner and Tony for Businesses:
1. Be familiar with your building.
2. Shred your trash.
3. If you see something, say something!
4. Respond quickly if you notice something unusual. Don’t wait for something to happen.
5. Test security controls on a regular schedule.
6. Make sure security measures, like cameras, are working.
7. Management should be training their employees on security protocol.
For more information on how you can test your organization’s physical security, reach out to a Pratum representative today to set up Social Engineering services.