Social engineering: an intruder's tale
Posing as an IT consultant, Colin Greenless performed a penetration test on a FTSE-listed financial services firm. One or two tricks of social engineering gave him free access to some very useful - and very valuable - information.
The impact on a business of loss of data is well defined and significant, and involves hefty fines for legal breaches, reputational damage, and consequential financial impact. At the root of the problem in most cases is the failure of staff to fully adhere to policy and process, linked to a lack of a structured approach to data management.
Another factor is that European organisations believe they have resilient infrastructures, which gives rise to a false sense of assurance: in 2008 they invested €2.6bn (according to analyst Gartner) to protect confidential information from cybercriminals who try to hack into their ICT systems, or beset them with viruses and malware. This investment only addresses one of the three main areas of IT security - technology. The two other factors - people and processes - remain vulnerable, and the three areas are, of course, intrinsically interlinked. Investing money in IT security, while neglecting physical security, can prove just as much of a threat to data integrity as an online attack.
Social engineering is a form of the traditional confidence trick, in that it is principally concerned with manipulating people into performing actions, or divulging confidential information that they would not normally reveal.
High-tech protection systems are completely ineffectual against such attacks because social engineering invariably exploits the weakest security link - human behaviour. In successful socially-engineered penetrations employees are unaware that they have been manipulated.
Similar to hacking, social engineering is used to gain unauthorised access to systems or information to commit fraud, network intrusion, industrial espionage, identity theft or a simple disruption. It is generally much easier than hacking as it does not require the technical know-how to be effected. In its most basic form, it involves simply asking other people for information.
At the request of a FTSE-listed financial services firm, I was commissioned to undertake a social engineering exercise to see how susceptible staff might be to this type of attack. I spent a week undercover at the firm based in the City of London. I kept a daily log of my experiences, which describes just how vulnerable an enterprise can be to the devious intruder intent on gaining access to valued data.
Prior to going into an organisation I prepare by doing as much research into the target company as possible. For this project, I started off by visiting the organisation's website: this displayed the names, locations, and photographs of many employees. Such online content provides a useful pre-briefing to a social engineer. The next phase involved conducting passive surveillance of the organisation's offices from the outside to gain an understanding of all entry/exit points, and to assess the security measures; much of this preparation was conducted from a coffee shop adjacent to the target's office building. By observing the people entering and leaving the building, their interaction with the security guard, and by discreetly observing employees entering the coffee shop I determined that:
- ID cards are not displayed;
- There is no requirement to show the guard any form of identification or electronic access control swipe card;
- There is very little interaction between the organisation's staff and security personnel.
Today was the hardest part of the project - gaining entry to the premises for the first time. Having started the day observing the human traffic entering and leaving the target organisation's offices, I waited outside during a busy period, and then followed three employees into the building through the rotating doors to the street. By pretending to be conducting an involved call on my mobile phone I was able to avoid getting into direct conversation with any of the employees. The advantage of taking a confident approach when entering a building has the added benefit of making it appear as if the social engineer 'belongs', and has entered the building many times in the past.
I noticed during the initial 'sweep' of the building that an electronic swipe card was required to activate the lift. It was clear that I would not be able to access the building without the required card.
I didn't make eye contact with the security guard, and was not otherwise challenged by him. Upon entering the lift the swipe access pad was activated by another employee, and I (while still conducting my phony phone conversation) held-up two fingers to indicate that I wanted to go to the second floor. The button was pressed. When the lift reached the second floor I exited the lift, and walked into the office area, all the time continuing the phony phone conversation. At no time was I challenged by an employee.
Having successfully entered the building the next step was to establish a working area; I chose a second-floor employee meeting room (these rooms were separate from the main fully-equipped client meeting rooms), as it was equipped with an internal telephone which would be instrumental for the forthcoming telephone attack.
There didn't appear to be any type of meeting room booking system in use which made it easier to occupy a meeting room for long periods of time; I was not challenged by employees who'd booked the room at all during the exercise.
With my working base established, I started to survey the floor I was working on. If challenged, the response to be given was that I was a conducting a security audit, and needed access to all areas of the building. To enhance credibility I wore an out-of-date generic ID card on a lanyard around my neck. Much of the day was then spent accessing various parts of the building. During that time I had access to a wide range of company documentation.
The next phase of the exercise was to try and elicit information about the organisation's IT network infrastructure. This type of information is really useful, as it can cut down the amount of time spent conducting technical scans and surveillance. One of the pre-prepared objectives was to try and gain access to the data/server room which is located on the third floor. I got into the IT office where I was met by two employees. I explained that I was conducting a security audit, and needed access to the data room.
Without much difficulty, I was shown the data room by an IT technician. He then explained what equipment was in there.
By adopting a friendly manner, and engaging the employee in general chat, I gleaned a lot of small pieces of useful information, such as:
- Cabling protocols (e.g., what colour cables are used);
- Username construction;
- Password criteria;
- Incidents and how they are reported and managed.
Today I carried out a telephone attack. Essentially, the aim was to test the willingness of staff to provide desktop usernames and passwords. No names or telephone numbers were supplied to me beforehand, so the first priority was to obtain the internal telephone directory.
This was done by approaching the target company's reception staff, and asking for a copy. The receptionist did not ask for any form of identification, or verify with any member of staff that it was okay for me to access what should be a confidential document. This internal directory contained much valuable information, including:
- Names and direct dial numbers of all employees;
- Mobile phone numbers of all employees;
- Internal IP address ranges of all organisation offices;
- ISDN numbers.
I returned to my 'office', and spent the day calling employees to try and get log-on details for their computers. By using language familiar to the organisation, I built credible scenarios in order to gain the trust of the targets, saying things such as "I'm working with [colleague name] from the IT support team". By quoting the employee's username to them during conversations I was able to establish another sub-conscious level of trust. The experiment was very successful; the majority of people targeted provided both their username and password. People's natural tendency to help others, coupled with some simple psychological tricks, invariably delivered.
Towards the end of the social engineering exercise I brought a confederate onsite posing as a second 'consultant'. His objective was to gain access to the building then obtain connectivity to the corporate local area network (LAN).
I escorted my colleague into the office, and we were both swiped in by the security guard who I had befriended earlier in the week, and who now granted me access every morning when I arrived; we then went to my 'office' in the meeting room. Following this, time was spent observing the office floor, and identifying an empty desk where connectivity could be established to the corporate LAN.
My colleague moved to the desk with his laptop connected to the network floor port located underneath the desk. He would have had full access to the network infrastructure, and with his technical ability would have been able to identify the core servers, routers, and other key network infrastructure components.
Armed with the usernames and passwords gleaned during the telephone attack, we would also have been able to access various user accounts, plus any proprietary and confidential information contained within them.
Further network infiltration was not attempted as this would have been considered out of the scope of the exercise. It was decided that enough steps had been completed to conclude the social engineering report. We then held a face-to-face project 'wrap up' meeting with our client's personnel which was followed by a detailed report with comprehensive information and recommendations. The client report itself was anonymised; all employee names were changed, and passwords deleted to protect identities.
Enterprise penetration debrief
Social engineering tactics can give criminals unfettered access to sensitive data through a mixture of confidence tricks and basic employee deception. The scary thing is that it's all simple stuff. It's just confidence, looking the part, and basic trickery such as 'tailgating' people through swipe card operated doors or - if you're really going for it - carrying two cups of coffee, and waiting for people to hold doors open for you. Most peoples' helpfulness overrides any suspicions they may otherwise feel.
Colin Greenlees is a security management consultant at Siemens Enterprise Communications
IET Technical and Professional Networks
http://kn.theiet.org/communities/itsecurity/index.cfm [new window]
http://kn.theiet.org/communities/itmanagement/index.cfm [new window]