INDUSTRY: Financial Services
SERVICE: Advisory, Profiling
For several years, a governmental agency has engaged SecureState for annual audits of their security program. At first, their security was fairly weak. However, each year they continue to make significant improvements. Our Advisory and Profiling teams were brought in to assess the existing security controls and make appropriate recommendations to mature the security program. Our consultants attempted to break into the client’s network using a variety of proven methods, including:
- A Physical Penetration Test
- An Internal Attack & Penetration Test
- An External Attack & Penetration Test
- A Social Engineering Assessment
Additionally, an INFOSEC Assessment was executed to gain insight into their Security Program as a whole, as well as provide a better understanding of the root causes behind findings from our supplementary assessments.
Why it’s Cool
This was an especially interesting engagement because it gave our consultants the opportunity to employ their creativity in testing physical security controls and human behavior, which few organizations take the time to address. The consultants were able to explore the large, heavily-trafficked building with minimal confrontation—ultimately bypassing multiple layers of physical security controls with little more than a cheap suit and good timing.
In one instance, a consultant loaded false employee documents saturated with malware onto several USB flash drives and distributed them in noticeable locations throughout the building. If an unsuspecting employee were to plug the infected flash drive into a computer to access the information, a connection would be made back to our server to compromise the target computer. In an additional scenario, the consultants used a Phishing Attack and posed as staff members to send out a fraudulent email to all employees. Any employee who opened the email and clicked the link became an entry point onto the corporate network.
What the Consultants Had to Say
Dressed in a suit and tie, we joined the crowd of eager workers near the entrance in front of the security guard. Even though we lacked an ID badge, we made up for it with confidence and swagger. With a smile on our faces, we greeted the security guard and passed through the gated entrance into the heavily-trafficked lobby. Once inside, we took a deep breath and proceeded toward the elevators at the far end of the building. We knew what we were supposed to do, but how to get there was another question.
We did our best to squeeze into the congested elevator and quickly followed the crowd. Before we knew it, we were in the basement and soon realized a better plan was required. The elevator would not travel to certain floors of the building without the swipe of a valid ID badge, and the client was housed on these floors! “Without an ID badge, this Assessment was going to be tricky” a consultant emphasized. So, we travelled back up to the lobby and entered the second elevator which housed a group of well-dressed, yet skeptical employees. As the elevator doors opened, we followed the group of employees down a long, narrow hallway surrounded by offices on both sides and noticed a heavily secured doorway 20 feet in front us. “We’ve made it this far” a consultant declared. “The last thing we want to do is lose our cover.” We made the executive decision to turn around and head back down the elevator toward the lobby and try again later. We knew the only way through the locked door was to follow somebody with the proper access credentials; therefore, we elected to take our time until we found the ideal crowd of notable employees to trail.
While on the elevator, we struck up a small conversation with a few members of the group. Once the doors opened at the correct floor, we followed the employees down the familiar slender hallway. As we approached the secure door, an employee placed his badge over the sensor and unlocked the door. “Allow me to grab the door” our consultant offered and we managed to walk straight through the doorway without hesitation. From there, we performed the rest of our scheduled Assessment. When one consultant arrived at the IT director’s office, it was safe to say she was very disappointed at his arrival. She now had substantial verification that their physical security needed to be addressed.