Physical penetration testing using social engineering

Transcription

1 Physical penetration testing using social engineering Trajce Dimkov, Andre van Cleeff, Wolter Pieters, Pieter Hartel University of Twente, The Netherlands

2 In a bold, systematic hit on a landmark Ventura Boulevard office building, burglars stole scores of computers from at least 60 of the 80 businesses there, taking machines containing sensitive legal documents, credit card numbers and the tax information of thousands of people, police said Saturday. Several business owners said they were taken aback by the brazenness of the theft, which deprived them of their computers but left behind other valuable equipment, including monitors, faxes, copiers and printers. Several concluded that the thieves' target must have been the information contained on their hard drives, not property Police Lt. Jay Roberts said investigators are looking at people familiar with the building and its security system. Late Saturday, police were still determining the extent of the crime. The thieves did not ransack or damage the building. No one was injured. "They systematically got into the offices," Abrams said. "It looks like they had a superkey. "It had to be somebody who knows that building," said Mary Hatcher, who runs several companies at the site. "It wasn't forced entry.

3

4 Information is stolen by a combination of physical access and social engineering How can we perform a complete (physical digital social) vulnerabilityassessment assessment ofanorganization? organization? 1. Without disturbing the work flow process. 2. Withouthurting/stressing hurting/stressing anyone. 3. In a quantitative, reportable way. 4. With minimum tests.

5 The R* Requirements Realistic employees should act normally, as they would in everyday life. Respectful the test is done ethically, byrespectingtheemployeesandthe mutual trust between employees. Reliable eabe the epenetrationet test doesnotcause ot productivity ty lossofemployees. o e p oyees Repeatable the same test can be repeated several times and if the environmentdoesnotchange not change, the results should bethesame same. Reportable the outcome of the test should be in a form that permits a meaningful and actionable documentation offindings andrecommendations.

6 Environment Focused Methodology: Actors Security officer an employee responsible for thesecurity of the organization. The security officer orchestrates the penetration test. Custodian an employee in possessionofof theassets assets, setsupandmonitors the penetration test. Penetration tester an employee or a contractor trying to gain possession of the asset without being caught. Employee person in the organization who has none of the roles above.

7 Environment Focused Methodology Setup Execution Closure Initialize Setup environment Scout Custodian approval Security approval Monitor Report Debrief Sign documents Execute Time

8 Validation 3 penetration tests in University of Twente

9 Lessons learned and ethical implications Security officer Respect Deception Penetration tester Custodian Employee 1. The attack scenarios should ldbe flexible. 2. The methodology does not respect the trust relationship between the custodian and the employees. 3. During the penetration test, separating the custodian from the employees is hard. 4. Debriefing proved to be difficult.

10 Custodian Focused Methodology: Actors Security officer an employee responsible for the security of the organization. Coordinator an employee or contractor responsible for the experiment and the behavior of the penetration tester. The coordinator orchestrates the whole penetration test. Penetration tester an employee or contractor who attempts to gain possession of the asset without ih bi being caught. Contact person an employee who provides logistic support in the organization and a person to be contacted in case of an emergency. Custodian an employee at whose office the asset resides. The custodian should not be aware of the penetration test. Employee person in the organization who has none of the roles above. The employee should not be aware of the penetration test.

11 Custodian Focused Methodology Setup Execution Closure Initialize Sign documents Scout Coordinator approval Security approval Execute Contain Collect equipment Debrief Select contact people Select custodians Distribute information Collect logs Report Time

12 Validation 12 penetration tests in University of Twente and Technical University of Eindhoven.

13 Validation 12 penetration tests in University of Twente and Technical University of Eindhoven.

14 Validation 12 penetration tests in University of Twente and Technical University of Eindhoven.

15 Lessons learned and ethical implications Security officer Respect Deception Coordinator Penetration tester Contact person Custodian Employee 1. It should be specified in advance which information the penetration tester is allowed to use. 2. Panic situations need to be taken into consideration in the termination conditions 3. The penetration test cannot be repeated many times. 4, The tester should leave a note after stealing the laptop.

16 Comparison Requirment EF Methodology CF Methodology Reliable Repeatable Reportable Respectful: actors ++ + Respectful: trust relationships ++ Realistic + +++

17 Questions?