The Importance of Escort Policies
January 24, 2022
Overview
Escort Policies are strong deterrents against potential social engineers because no bad actor or individual wants to perform a malicious act while being watched. Institutions, whether financial, healthcare, or insurance all have moving parts. If the organization is large, then there are many people coming and going, and if the organization is small, then sometimes labor can be scarce. Both are opportune situations for any social engineer, let's see how.
The Story
During this engagement, my pretext was that of a Fiber Network Technician who was sent to perform an inspection to obtain information from the demarc point in the server room about verifying that a recalled fiber cable could be potentially present at this location. This pretext has been very effective over the years since internet service providers had begun the task of installing fiber networks at various places across the country. Being that this is an emergent technology, and I am not likely to run across anyone with fiber optics hardware experience in a clerk or administrative role at this facility, this is a tried-and-true disguise for any location.
When the assessment began, I arrived at the first facility on my "inspection list" and went to check in with the receptionist or branch manager on duty. When I am performing this assessment, I prefer to either start at the very beginning of the day for some locations, then hit the final or last two locations as the lunch shift begins. I do it this way for two reasons: 1. to catch a manager or authority figure under the stress of a busy morning, and that I will be the fastest and easiest thing to complete first. 2.Since managers are usually the first in the building in the morning, they are the first to lunch. By performing the assessment this way, I'm always utilizing my best chance at catching a medium to large size organization either under duress or visiting the facility when they down a team member or more.
This technique is not always guaranteed, but I have more success than failure with this method over the course of three years. Due to the nature of my visit and that it being due to a potential recall of property that is not technically owned by the organization, I can typically bypass any training for internal employees because the matter supersedes the network at the bank and is based on the fiber network as a whole. On this one instance, the branch manager assigned a young person to escort me through the facility. I strike up a conversation as soon as I am led to the networking closet or server room on the level of work being formed, how bad my day is going to be, anything I can do to be annoying and unrelatable to the young employee.
Escort policies are utilized at most secure facilities regardless of size across all parts of our great country. One thing that I have noticed over the years is that these escort policies are not always respected by internal employees and are seen as a detriment to their daily tasks to complete. This is as such because no one wants to be stuck "babysitting" a random visitor when they have more work to complete or desire to perform another task.
After annoying this employee for the better part of five minutes, a phone rang three times, and my escort took the opportunity to leave me since it seemed I knew what I was doing. In this moment, I took out my phone and began utilizing my alone time to document that I was alone and the access to the critical systems in use I had just been given. The young employee did not return after she finished her call and I walked around the back offices more to see if I could find the records room. Luckily there were no physical records onsite at this branch.
Young employees are not the only portrayers of this behavior, and even a seasoned manager who has had additional training will make similar errors out of job requirement to handle something else. In this next situation, I was training an employee and there was a branch located in a grocery store for this client. We were using a similar pretext to inspect networking endpoints that needed to be inspected for a possible factory recall. This branch manager upon hearing this story even mentioned that he was aware of the internal escort policy in place and that we were accustomed to accommodating such a policy in our routine visits. The branch manager was diligent but there are always moving parts in any branch or office that deals with the public. An important phone call came, the branch manager had to take the call just for a minute, but we had already been given access to the room. He left us for two minutes. Just enough time to plug something in or leave any malware device we desired in the room.
After performing this service for a couple years, any social engineer attempts to turn a weakness into a strength. Time is not always on the side of an organization in making a social engineer wait. If the organization had trained properly on performing an escort, the employees could have been instructed to disregard their current task until the visitor leaves. This may be what is written in many documents but is not always followed because it is not rehearsed.
Another practice I only see in large organizations is to always make a copy or retain the driver's license of the visitor until they leave. Both are strong practices and faking a driver's license is no easy task. Also, fake items can contain user errors. Errors that could be the use of the bad actors actual name, there will be an actual picture of them that will be easy to obtain if a copy is made of their employee id or driver’s license. Even though camera footage is present in most places, vendors manage this service in some situations and reviewing camera footage takes precious time.
Our Recommendations
Instruct all employees to focus on all unannounced or visitors to be escorted while at the facility. This is their most important task of the day until that person has left the facility, and nothing should supersede this duty except an emergency.
Visitors and newcomers are the instigator of change that occurs. Therefore, all employees should be hesitant of anyone who is new to their working environment who is not a customer.
Internal training on how well an escort of a visitor is performed could be performed annually or quarterly depending on organization size.
Make a photocopy of the company ID or driver's license provided.
Incorporate physical escort training into your annual cybersecurity awareness training program.