Success Story: Physical Social Engineering
A publicly traded company requested an evaluation of their physical security controls through social engineering as part of a larger security assessment. The goal of the test was to obtain unauthorized access to critical areas such as the network operations center and the data center. Praetorian was given no prior knowledge or access before the test began.
Praetorian began by first evaluating the strength of the company's primary access point where the receptionist desk was located by simply walking-in, taking a seat in the waiting area, and observing foot traffic. Praetorian noted HID badges were the primary method of physical authentication for employees, but given the layout of the main access point piggy backing would be too difficult.
The Praetorian consultant returned the next day wearing a blank HID badge and obtained access to the interior of the building using a side entrance. Using fire exit signs Praetorian was able to determine the layout and naming conventions of building areas in addition to being able to access all non-restricted areas by simply tailgating employees.
For the next three days Praetorian entered the building through the side entrance and exited through the main entrance. In an effort to build rapport with the receptionists he said goodbye each day and made extra time to chat with her. On the 4th day Praetorian entered through the main entrance and told the receptionist, who now recognized him, he had just started that very week and his manager had given him a temporary badge that didn't work until his new badge was ready. The consultant complained that the process was taking too long and becoming a bit of an inconvenience and asked where badges were made. The helpful receptionist provided the company name for the security desk and the area where it was located and allowed the consultant to enter without a badge. After returning from lunch, the consultant asked the receptionist for the extension of the security desk which the receptionist provided on a post-it note.
The consultant then utilized unauthenticated access to the company's online directory and mapped the extension to the full number (including area code) of the security desk. He then identified an IT manager's phone number through the sales site Jigsaw, used that number to spoof the caller ID at the security desk, and convinced the security staff they were speaking with the IT manager. As the "IT Manager", the consultant requested a badge for a new contractor with access to all IT areas including the targeted critical areas. The consultant also told the security staff that the contractor would arrive unaccompanied since the manager would be tied up in meetings. When the consultant arrived to obtain his badge he was not required to give any forms of identification and presented himself as Bruce Banner. A badge was created with escalated privileges and the consultant was able to buzz himself into the Network Operations Center and Data Center with his new badge.
The resulting report demonstrated glaring weaknesses in the company's physical security processes and provided recommendations for mitigation.
Explore more Praetorian success stories →