In the world of cybersecurity, it’s a well-known secret that the weakest links in every cyber defense strategy are humans, not technology. Many times, it’s simpler to blame technology, and then to look to technology to solve the problem.
Arguably, the most (in)famous hacker is probably Kevin Mitnick, who used a wide variety of scams and cons to get the information he was after. Using only his acting skills, Mitnick was able to obtain passwords and access dozens of computer networks.
It’s all about efficiency for hackers. Why spend hours breaking into a network when you can convince someone to give you a password?
Tactics of penetration testers
For penetration testers, an on-site visit is often used to test security processes and procedures. After obtaining written permission, penetration testers will try to “tailgate” into a building following legitimate employees through secure doors. Other times, they will talk to the receptionist (e.g. the “casual” security guard) to try to gain access. They will need a cover story, but that is easily concocted with a hi-visibility vest, hard hat and clipboard.
More diligent companies will require that the receptionist or guard record the ID of the person entering. That is also no problem for a penetration tester. Thanks to the internet, there are dozens of websites that sell fake drivers licenses.
Customers of these sites are typically teenagers trying to obtain a fake ID to purchase alcohol underage. However, the fake IDs they produce are quite good. They even show the proper markings under a black light. Without formal training, most receptionists and guards would probably accept the fake IDs, especially if they are from another state.
Verify the story, not the ID
So what can we do? First, training to detect false IDs is important. More importantly, employees should be taught that an ID is only part of the story. If the visitor doesn’t have an appointment, or their story seems vague, a valid-looking ID won’t overcome that. You have to take into account the whole situation, and verify the story, not the ID. That means checking to see if maintenance really called for someone to come in and help with a malfunctioning air conditioner or smoke alarm. For example, you can ask for the name of someone who contacted the service and then actually call that person for verification.
Your first line of defense is the front desk
The fake ID example above highlights a common target of social engineering: receptionists. Front desk employees are common targets because they deal with the public directly and may be under-trained when it comes to dealing with unusual circumstances. They really are security guards, but they don’t think of themselves that way. They are hired to be polite and helpful, and these are precisely the attributes that can be used against them. In a typical hacker situation, the hacker needs to either gain access to the building (to plant malware devices) or to get information to be used to mount an external attack.
Hackers, and penetration testers, often start with a simple phone call. Posing as a friend or business acquaintance to an executive (whose name is on the website), they will try to determine when that person is out of the office. When they call and the person is out, that’s a green light to begin a spear phishing attack and send a falsified email to accounting under the name of the absent executive, asking for urgent payment on an imaginary bill. Because the executive is unavailable, these are often paid.
Hackers like to manufacture a sense of urgency, wear attire to “look the part”
In other situations, a hacker will call the receptionist posing as an internal IT person, and ask for passwords and PIN numbers. These hackers will attempt to fluster the employee by creating a sense of urgency and manufacturing disruptive background noise.
Finally, hackers may show up in the lobby in person wearing a bright orange vest, a hard hat and carrying a clipboard. With such official-looking attire, they can often breeze right past a receptionist without a comment. If they are stopped, they will likely attempt to bluff their way through by claiming an urgent problem with an air conditioner or elevator. Once inside, the hacker can install keylogger software (or hardware) on computers to capture passwords, a LAN Turtle (which automatically connects back to the attacker outside), or a rogue access point called a Pineapple (to capture Wifi traffic).
Tips to detect penetration testers
The best way to stop penetration testers is to be observant. If someone comes around that you’ve not seen before, stop them and ask for verification (not just ID). Visitors to offices should never be un-escorted, and should never have a reason to touch a computer or enter an equipment room. Be aware that distractions are useful to both magicians and penetration testers. Appearing clumsy and dropping/spilling items can be the ruse to get to the back of a computer to install a keylogger or other device. Also, be aware that penetration testers will often stand outside commiserating with smokers (especially in bad weather). By the time the workers re-enter, the penetration tester will be laughing and joking with them like old friends. Everyone needs an ID. No one should be able to tailgate into the facility.
If all this concerns you, it should. Cybersecurity is a people problem, not a technology problem. Get training and stay up to date.
Never miss another article. Sign up for our newsletter.