Written by:
9/16/2010 5:50 PM 

Do you remember that commercial that came out during last year's SuperBowl? The one for Tide to Go? It has the guy sitting down for an interview, but he has a ridiculous blabbering stain on his otherwise crisp and clean white shirt. If you haven't seen it, you need to stop what you're doing and watch it now. Go ahead, it's SFW. http://www.youtube.com/watch?v=X2cs8gnb42A

Well, I had an experience like this recently at a client's site. A customer who had recently been the victim of pretexting contacted RocketReady. They were interested in learning more about how social engineering could impact their company and customers. RocketReady performed a full assessment of this company's security posture related to social engineering: pretexting, phishing, dumpster diving…the whole package. My job?Perform an assessment of their facilities to see how they physically protected sensitive information. As usual, before beginning a thorough analysis, I had the project sponsor take me around the company's campus and show me the basics…mailroom, various entrances, smoking areas, etc. Usually, these walkthroughs allow me to make a map of the facilities and take notes so I can find my way around later when I do my own thing..

This walkthrough was different. It was a "talking stain" experience. I usually have to do a little bit of digging to find weaknesses in employee information security practices. I usually have to stretch a bit and social-engineer my way through closed doors. Not here. The problems were so obvious that I couldn't help but stop and stare and think about what I was seeing, even before the real assessment began. 

Let's back up a step. I should have guessed it might be this way based on my arrival. I went to the main entrance and told the security guard who I was there to see. He sent me to another building, unescorted and undocumented. Keep in mind that the sign said "All visitors must sign in and be escorted at all times." He told me what floor to go to. I made my way to the other building, walked directly past the security desk with the two security guards and the sign that said "All visitors must sign in and be escorted at all times" and to the elevators. As I got off the elevator, I walked directly into the executive floor and asked the receptionist to see the project sponsor. She went to find said person and I wandered around the entire floor, uncontested. A few minutes later, my appointment arrived. We started the tour. Almost immediately, I noticed a whole laundry list of items that needed to be addressed. Too much, in fact. These things were such a distraction that I couldn't even hear what was probably interesting and useful information about the company.

Talking Stain 1:  As we walked past one area of cubicles, I noticed that computer after computer was sitting there completely unlocked.  I took note that many had customer management programs running—lots of private data about consumers who have accounts with them. 

Talking Stain 2:  On another desk, I found a customer check sitting right out in the open.  [Sigh].   

Talking Stain 3:  My client was pleased as punch to point out their giant community shred bin in which all sensitive documents are placed to be shredded later.  I didn't point out that it was unlocked.  

Talking Stains 4 and 5:  A few minutes later, we walked right past the original security guards, sans credentials, to the wide open mail room.  The beauty of this mail room was that a person could not only barge right in the front door, but the back door to the outside was also propped wide open.  "It's hot in here," was the reply from the mailroom employee when I made this observation.  

Talking Stain 6:  Finally, I arrived at the desk of the project sponsor's #2 to start digging a little deeper.  This person's title contained words like "Director," "Information," and "Security."  This person was preoccupied with lots of actual work to be done, but was gracious enough to give me 30 minutes or so.  At least 4 or 5 times during our appointment, this person had to log in to something.  The conversation each time went:

Client:  "Uggh.  What was my login for this one?"
Me:  "Are you asking me?"
Client:  "No – I just can't remember.  I have so many stupid things to login to."  [Rummaging through the desk.]
Me:  "Yeah – that makes it tough doesn't it?"
Client:  "Ah ha!  Found it!"
Me:  What's that?
Client:  "I just write all of my logins on this business card."
Me:  "Hmm.  That could be dangerous if…you know… it got in the wrong hands."
Client:  "What do you mean?"
Me:  "Well, I mean, you are an important person, with access to a lot of stuff.  Hope nobody would find that card and, you know…use it.  Just sayin'."
Client:  "Who's going to come into my office and do that?"
Me: ………
Client: ………
Me:  "You're probably right."

Well, long story short…this particular client had a lot of issues to work through. As a corporate entity, they had never given much thought to the simple ways a social engineer might take advantage of their physical security weaknesses. Like most companies, they had a rock-solid IT setup. They do a lot of e-commerce, so they are keenly aware of the risks there. But, they had a "who would do that?" mentality about matters of physical security. Fortunately for them, the impact of an actual social engineering attack was enough to encourage them to make real change in a lot of areas. They have since implemented recommendations, had corporate-wide social engineering training from RocketReady, and use our awareness collateral to keep employees sharp.

Trackback Print

Tags:

Categories:

Location: Blogs Wes Mallory

Your name:
Your email:
	(Optional) Email used only to show Gravatar.
Your website:
Title:
Comment:
Security Code Enter the code shown above in the box below
Add Comment   Cancel