By Mitchell Bearry, Information Security Analyst
We all want to be nice to people, right? They could be carrying a ladder or other heavy object. They could appear to be in a hurry or have that look on their face that says that today is NOT a good day to bother them. They might even be handicapped. Whatever the reason, oftentimes when we’re entering a building, the nice thing to do is to hold the door open for these people. And why shouldn’t we? After all, for most of us, it has been ingrained in our character for years as the proper thing to do, so much so that it has become instinct. While it is a perfectly nice thing to do in normal everyday life, for employees of a financial institution, doing this even one time could result in millions of dollars’ worth of damage. In the below example, I will tell the story of how a fellow analyst and I exploited peoples’ kindness, and how it could have ruined a financial institution with billions in assets.
For this engagement, we were contracted by the organization to attempt infiltration of their Headquarters. The cover story we used for the service was that of their vendor responsible for the installation of their security cameras. Given that the building was large enough to sneak in without announcing myself and providing a cover story, we decided to attempt getting in and out of the facility unnoticed. I researched the uniforms worn by the employees of the vendor we were impersonating and had similar ones created by a printing shop. I also used a badge printer to create false identification badges with logo, job title, and employee number to complete our disguises.
Prior to travelling to the client’s facility, I scoped the layout of the area using Google Maps. I used the street level view to move around the building, analyzing the doors to identify the easiest point of entry. Distance from the parking lot, availability of trees or other forms of cover, and the parking options for my rental car were all factors I considered when determining the best approach. I finally decided to enter from the rear set of doors on the other side of the building from the front that faced the street. I planned to perform the operation a little after noon to reduce the number of employees present to potentially stop me, while still having a means of access.
Cut to a bright sunny day around one o’clock in the afternoon, and we’re sitting in the rental car in the parking garage adjacent to the organization’s headquarters. I’m waiting for someone to get back from lunch to follow into the building. Several employees return, but none are parked close enough to us to provide an effective means of tailgating. They are either too close to the entrance or too far away from us to time it correctly.
Finally, someone begins approaching the set of doors we want to enter through at a close enough distance that we get out of the car and begin walking in sync with them. We altered our walking pace to ensure we arrived at the entrance shortly after the employee, and they held the door open for us to enter.
It was at this point that we had a decision to make. Given the layout of the lobby, the receptionist was behind a half wall and facing the front entrance. She could not see anyone entering the back and it would not look suspicious to loiter for a bit. From a previous conversation with the client during scoping, we had learned that the institution only operated a small branch and the receptionist on the ground floor. While this may have been of interest to some attackers, we were interested in the secrets we could obtain from the headquarters of the business on the upper floors. There were two ways up: the elevator, which required RFID badge access to move between floors, and the stairwell. We decided it would be easier to tailgate an employee through a door where they might hold it open for us than to get on an elevator and hope the employee would badge us to a desired floor without too many questions.
By this time the employee we had followed into the building was long gone to the upper floors, so we decided to wait for another one while pretending to be on the phone, marking items on a clipboard, and otherwise presenting ourselves as busy. As luck would have it, another employee entered the building through the same entrance soon after and opted for the stairwell to access the higher floors. We followed behind, and after entering the stairwell, the employee proceeded up the stairs to the third floor.
This is where the test came. While the first-floor stairwell entrance didn’t require an RFID badge access due to fire safety requirements, all other floors did. Instead of risking the employee asking what our business was, I suddenly had the idea to lag behind a bit and let the employee go through while we were still climbing the stairs from the second floor. As soon as he entered, I began sprinting up the stairs and grabbed the door handle before it could close and engage the locking mechanism again. This action allowed my coworker and I to enter onto the third floor without the employee or anyone else noticing that we were there.
While people arriving by elevator needed to badge in yet again through doors at either end of the elevator lobby in order to enter the floor suites, due to a design flaw in the building during construction, the stairwells actually opened directly into the office suites without requiring further access controls. My coworker and I began roaming the floor freely, seeing what information was available for the taking. Another lucky break we had was due to the pandemic as a lot of employees were still working remotely. That, combined with it still being around lunch time, meant a large number of cubicles and offices were empty. We had open access of the floor, and nobody was the wiser. The occasional employee would pass us but paid no mind to us given our disguises.
We found multiple opportunities to exfiltrate data. The cameras were confined to the elevator lobby; none surveilled the general areas of the floor itself, or even the offices. With my coworker keeping watch for anyone nearby who might spot us, I was able to slip into several offices that were open and take pictures of sensitive information left lying on the desks or pinned to corkboard walls. Knowing that most employees do not have the habit of locking desk drawers, I was able to rummage through all kinds of files within them and take pictures of member information, sticky notes containing Personally Identifiable Information (PII), and internal reports. The offices I had access to included those belonging to managers, vice presidents, and directors of various departments. I found the financial information of many members, building diagrams for the headquarters and every branch, and even a set of keys to a very nice late-model car.
Having gotten sufficient data to call it a win, my coworker and I decided to try another floor. We entered the stairwell and walked to the fourth and second floors, waiting for someone else to enter to follow them to one of the other floors. After about ten minutes of waiting with no luck, we decided that we had gathered enough for the proof of concept and decided to call the client to come meet us so we could discuss the engagement.
What can we learn from this? This entire operation was successful all because employees failed to monitor for unauthorized individuals following behind them. As horrible as it sounds, to prevent a possible physical compromise that could lead to the downfall of a company, it’s necessary to stop being nice. Moreover, it’s time to get rude. Especially in this example, since employees were required to wear ID badges, all employees we tailgated should have confronted us about where our badges were. If your organization requires visible forms of identification, don’t let someone in without it. If someone tries, ask them who they are. Escort them to a receptionist or other individual who can direct them where they need to go or deny them access. Close doors behind you even if someone is quickly approaching to force them to use a badge. Physical security is not just the responsibility of a Security Officer or other designated employee. It is every single employee’s duty to ensure that the company grows and remains secure. A single person not following the rules could destroy an entire company, particularly financial institutions.
This duty comes from awareness. Cybersecurity awareness training, including elements related to physical security, should be a standard and reoccurring process at least annually. Describe the physical security responsibilities of employees in the Information Security Policy or other governing document and require all employees to sign and acknowledge it annually. Conduct training sessions on physical security to ensure all staff are knowledgeable of the potential threats and how to prevent them. Test your employees through social engineering engagements such as the one I performed to ensure they are following the rules. In this instance, the organization was able to take the lessons learned from our test and use them to improve their physical security program. Be vigilant – the next time it happens may not be a test.