SecureState Blog

Read SecureState's award winning blog.

INDUSTRY:  Financial

SERVICES:  Physical Attack and Penetration and Social Engineering Assessment


Engagement Background

A large financial institution recently engaged SecureState’s Profiling Team to perform physical security assessments. As a longtime client, they felt they had made great strides as far as the security of their internet connected systems, but were concerned about the response of their employees to social engineering attacks aimed at attaining physical access to secured areas and information.

A Physical Attack and Penetration Assessment bridges the physical, logical, and personnel (social engineering) layers, allowing all layers to be assessed for the likelihood of exploitation and access to sensitive information. This assessment simulates a real world attack against a physical presence. Phishing is a social engineering technique of fraudulently obtaining private information. Typically, the attacker sends an email that appears to come from a legitimate employee, business, or help desk requesting assistance with new services, products or malware information and warning of some dire consequence if the requested actions are not completed.


Why This Engagement Highlights Human Weakness

The following results show why your personnel are almost always the weakest link in your security chain:

  • After placing a fake call from a “company employee” claiming to be sending two technicians onsite, the two SecureState consultants entered a branch office and attempted to convince the manager that they had legitimate business need to obtain physical access to critical systems.

After the manager noted:

  • Their fake badges looked fake
  • Their fake business cards looked like they “were made at home”
  • Their names were not listed in Outlook

AND he called the real “company employee” back, who of course had no knowledge of the SecureState consultants, they were still allowed access to connect to the network.

  • While wandering around unchecked on “secure” company floors, SecureState made an observation that a motion sensor above a door was installed in an insecure location. While attempting to bypass the motion sensor on the internal side of the doors, an employee behind the doors noticed and opened the doors asking if SecureState needed access to the offices. Thus a mild vulnerability was quickly transformed into an extreme one with the unwitting assistance of a company employee.
  • SecureState performed email and phone phishing against a significant sample of employees. Overall, approximated half of the targeted employees either clicked on potentially malicious links or were directed to a rogue website and entered their login credentials. One person who correctly questioned the phone attack, then immediately fell for an email phish.


What the Consultants Had to Say

“Companies allocate a lot of time, money, and resources to securing their systems, which is good. However, it is still always surprising how vulnerable they are to most basic physical attacks.” This was illustrated as users inadvertently executed SecureState’s simulated malicious payloads and network controls blocked their effects. “A truly motivated individual could have used these ins to launch any number of more sophisticated attacks against the system.”

Companies just don’t seem to take physical threats as seriously. “They were laughing in the closing meeting, wanting to know who the employees were that did these things…not so they could be reprimanded or trained, but so they could be mocked. They laughingly told us that a lot of their employees had just completed awareness training. This engagement precisely highlights the need to validate the effectiveness of awareness trainings. Based on the results, the training programs can be reviewed, improved, and refined to be more effective.”