Social Engineering: Hunt for the digital crown jewels using a door handle

Size: px

Start display at page:

Download "Social Engineering: Hunt for the digital crown jewels using a door handle"

Russell Armstrong
7 years ago
Views:

1 Social Engineering: Hunt for the digital crown jewels using a door handle TJ Dimkov Deloitte Netherlands 31 st of January 2012

2 A new member Defending my PhD thesis at University of Twente in February. Methodologies for physical penetration testing using social engineering. The methodologies try to achieve Reliable, Repeatable, Reportable, Respectful and Realistic penetration tests. As part of the research, executed more than 30 penetration tests in University of Twente and Technical University of Eindhoven. Reliable Requirements Repeatable Reportable Respectful for all actors Realistic 2 PvIB Evenement

The methodologies try to achieve Reliable, Repeatable, Reportable, Respectful and Realistic penetration tests.

3 Agenda Information security revisited Case Lessons learned Questions and Answers 3

4 Hacking and information security revisited 4

5 In a bold, systematic hit on a landmark Ventura Boulevard office building, burglars stole scores of computers from at least 60 of the 80 businesses there, taking machines containing sensitive legal documents, credit card numbers and the tax information of thousands of people, police said Saturday. Several business owners said they were taken aback by the brazenness of the theft, which deprived them of their computers but left behind other valuable equipment, including monitors, faxes, copiers and printers. Several concluded that the thieves' target must have been the information contained on their hard drives, not property Police Lt. Jay Roberts said investigators are looking at people familiar with the building and its security system. Late Saturday, police were still determining the extent of the crime. The thieves did not ransack or damage the building. No one was injured. "They systematically got into the offices," Abrams said. "It looks like they had a superkey. "It had to be somebody who knows that building," said Mary Hatcher, who runs several companies at the site. "It wasn't forced entry..

Several business owners said they were taken aback by the brazenness of the theft, which deprived them of their computers but left behind other valuable equipment, including monitors, faxes, copiers

7 Information is stolen by a combination of physical access and social engineering Physical Security Unauthorized access Safety Digital Security Confidentiality Integrity Availability Security Awareness Social Engineering Security Policies Computer Security Information Security Physical Mechanism Safe Fence Door Digital Mechanisms Encryption Signature Firewall Awareness Simulation Seminar

Security Awareness Social Engineering Security Policies Computer Security Information Security

8 Information is stolen by a combination of physical access and social engineering How can we perform a complete (physical-digital-social) vulnerability assessment of an organization? Without disturbing the work flow process. Without hurting/stressing anyone. In a quantitative, reportable way. With minimum tests. PvIB Evenement

of an organization? Without disturbing the work flow process.

9 Case 9

10 Methodology Info gathering Reconaissance Vulnerability detection Exploitation Penetration testing approach Information gathering Gather publicly available information from the Internet. Google maps, Social networks, company website, outsourcing parties, forums Reconnaissance Scout the facility and learn the security procedures that are in place. Talk to people around the facility. Identification of vulnerable systems Search for potential vulnerabilities in physical controls, people and procedures Exploitation Manual verification of vulnerabilities found Find a path to the internal network! 10

Google maps, Social networks, company website, outsourcing parties, forums Reconnaissance Scout the facility and learn the security procedures that

11 Methodology What are the steps? Setup Execution Closure Behave normally 1 Behave normally 1 Behave normally 1 Initialize Sign documents Scout Coordinator approval Security approval Execute Contain Collect equipment Debrief Select contact people 5 Select custodians 6 Distribute information 7 Collect logs 13 Report 15 Time ROLES: SECURITY OFFICERS, GUARDS, EMPLOYEES, CONTACT PEOPLE, CUSTODIANS, TESTERS

Scout Coordinator approval Security approval Execute Contain Collect equipment Debrief 3 4 8 9 10 11 12 14

12 Physical penetration testing Pilot study in University of Twente

13 Physical penetration testing 30 tests in University of Twente and TU/e

14 Lessons learned 14

15 Surveillance cameras Surveillance cameras are not used as alarming mechanisms (1) the cameras are not mounted in offices, - privacy issues and cost effectiveness (2) the thief can easily conceal the laptop (3) thieves usually know the position of the cameras and obscure their face, (4) each of the bags might conceal a stolen laptop. if the persons are not caught on the spot and challenged by the security guards, the evidence from the surveillance camera can not be used against them. The surveillance system provides no help in stopping the theft and has limited usage in identifying the thief a posteriori.

16 Access Control We spotted three weaknesses of the access control in the universities. Locks are usually bypassed because (1) they are disabled during working hours (2) the doors and windows where the locks reside are easy to force. (3) the credentials are easy to steal or social engineer and because there are many people entering and leaving the area where the theft occurs, it is hard to deduce which person is the thief. Access control mechanisms deployed in the open institutions are mainly used to deter opportunistic thieves, but provide no help against a determined thief.

(3) the credentials are easy to steal or social engineer and because there are many people entering and leaving the area where the theft occurs,

17 Security awareness of the employees The thefts occurred because an employee (1) left the laptop unattended in a public location (1) did not lock the door when leaving the office (2) opened door from offices of their colleagues, (3) shared credentials or handed in laptops without any identification. Even with strong access control in place, if the security awareness of the employees is low, the access control can easily be circumvented. The main reason behind the failure of 67% of all failed penetration tests. In these cases, an employee (1) informed the security guards for suspicious activities, (2) rejected to open a door for the tester, (3) rejected to unlock a laptop without permission from the custodian (4) interrupted the tester during the theft Employees are usually considered as the weakest link in the security of an organization. We observe that employees can also be the strongest link in the security of open organization. PvIB Evenement

Even with strong access control in place, if the security awareness of the employees is low, the access control can easily be circumvented.

18 Questions and answers 18

19 Contact TJ Dimkov Risk Services Laan van Kronenburg AS Amstelveen The Netherlands Senior Consultant Mobile: tdimkov@deloitte.nl Risk Services Laan van Kronenburg AS Amstelveen Marko van Zwam The Netherlands Partner Security & Privacy Mobile: mvanzwam@deloitte.nl 19 PvIB Evenement

nl Risk Services Laan van Kronenburg 2 1183 AS Amstelveen Marko van Zwam The

20 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's approximately 170,000 professionals are committed to becoming the standard of excellence. This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network ) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication. 20

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries.

Free Article PHYSICAL PENTESTING A WHOLE NEW STORY IN PENETRATION TESTING 2/2011. by Trajce Dimkov & Wolter Pieters

Free Article PHYSICAL PENTESTING A WHOLE NEW STORY IN PENETRATION TESTING 2/2011. by Trajce Dimkov & Wolter Pieters Free Article 2/2011 PHYSICAL PENTESTING A WHOLE NEW STORY IN PENETRATION TESTING by Trajce Dimkov & Wolter Pieters FREE ARTICLE Physical Penetration Testing A Whole New Story In Penetration Testing Physical