Contact Us
Error: Contact form not found.
Attackers can show up at your location and impersonate a trusted agent in order to gain physical access to your facilities and, potentially, sensitive company information. The social engineer may pose as a trusted vendor, a research company, or tailgate an employee through a secured entrance. Is your organization prepared to recognize and defend against this type of attack? TraceSecurity’s skilled analysts will deploy creative physical penetration testing pretexts to help you find out.
Customizable Pretexts
Test your employees against a variety of physical penetration testing tactics, like an IT technician, pest control agent, facility inspector, or other custom scenarios.
Over 20 Years Experience
TraceSecurity has conducted social engineering engagements for over 20 years. With over two decades of experience, we’ve refined an efficient process to help your organization achieve valuable and actionable results.
Authentic Badges and Uniforms
Authentic badges and uniforms to complement our cover story will challenge your organization to go beyond a quick glance when validating onsite visitors.
Complementary to Other Services
Maximize your time with our security analysts when we’re performing onsite services, like an IT audit, physical security review, or wireless assessment and penetration test.
Stories from the Field
Here are a few examples of our analysts impersonating bad actors in the field. How would your organization’s policies and procedures hold up against physical penetration testing?
We’ve made substitutions for all company and personnel names to protect their identities, but the stories are real.
The Pretext: Our Information Security Analyst, Ben, posed as an Internet Service Provider technician. Using publicly available information, it’s very easy for a bad actor to identify your ISP, just like Ben did in this story. After printing a badge and throwing on a polo to complement his cover story, Ben was ready to see if he could gain access to secure areas within the organization’s protected perimeter.
The Engagement: Ben approached the receptionist wearing his ISP polo, carrying network test equipment, and an ISP technician badge to prove his false identity. The receptionist greeted Ben, and he informed her that he was there to determine if their internet router model was eligible for a free speed upgrade currently available in their service area. The receptionist called the IT director, Jim, who confirmed that he was unaware of a scheduled visit from the ISP. Jim walked down and reiterated to Ben that he was not expecting a visit from the ISP. Ben assured Jim that he would not do anything that would disrupt their service and just needed the model number off the router. We are unsure if it was Ben’s charisma, convincing uniform and badge, or the offer of a free internet speed upgrade, but Jim gave in. Jim let Ben into the secured telecom area, and the engagement was complete.
Lessons Learned: It is very easy for a malicious actor to uncover the identity of your trusted vendors, such as an Internet Service Provider.
- Never allow an unscheduled visitor into a secure area
- Always call the vendor’s corporate office to confirm the identity and badge number of a technician
- Be aware of public information about your organization that a bad actor could use to facilitate an attack
Ben N.
Information Security Analyst
The Pretext: The backdrop for this engagement is a large, historic, multi-tenant facility, and our security analyst, Jason K., posed as a facility inspector. You would be surprised how far a clipboard and a carefully planned inspector pretext can take you.
The Engagement: The 2nd through 4th floors of the building were in scope for the engagement, with the primary target being a secure area on the 4th floor. To start the engagement, the security analyst, Jason, walked up the stairs to the 2nd floor. Within minutes, Jason noticed that a door was open that led into a secure area with access to sensitive documents. As Jason surveyed the area, an employee named Susan approached him to ask if he needed help. Jason explained that he was there to meet with Bob, a known contact at the company, and Susan replied, “Oh, great. Let me know if you need anything.” As Susan walked away, Jason found an unlocked document cabinet and photographed a few sensitive documents. At this point, Jason had compromised the organization, but he proceeded to his primary target on the 4th floor.
After taking the elevator to the 4th floor, Jason encountered a door protected by keycard access. He waited patiently until a lady exited the area, and Jason attempted to piggyback access through the door before it closed. Following company procedure, the lady noticed Jason trying to slink into the secure area without using his badge and stopped him. Jason explained that he was working on a facility inspection project with Bob, and Susan had sent him up to review the fire extinguishers and smoke detector placement in the credit department (Jason’s primary target). By name-dropping two employees, he bypassed the inquisition. With her suspicions removed, she introduced herself to Jason and led him to the credit department. Jason had now discovered the names of three company employees, and his backstory grew in relevance.
Jason now faced the final boss as he buzzed for entry into the credit department. Mary, a long-tenured employee, answered the door. Jason carefully wove his story, mentioning each employee’s name he collected throughout the day. Mary followed company procedure and called over her supervisor for approval. Jason re-told the same story he had just told Mary, and without hesitation, he was allowed into the credit department. Jason then walked without escort through the entire department, photographing smoke detectors, fire extinguishers, and mountains of sensitive documents.
Lessons Learned: Bad actors can easily collect the names of your internal employees and assemble a compelling backstory.
- Bad actors may use name-dropping to build trust
- Always escort visitors within your building espicially in secure areas
- Create a zero-trust culture when it comes to physical security
Jason K.
Information Security Analyst
The Pretext: Our Information Security Analyst, Kevin, posed as a local contractor working to expand the target’s office building. By doing research on the area, he was able to find a popular construction company based nearby. He also was able to find contact information for the IT Manager, giving him an easy email to spoof. With a custom-made shirt and badge, a clipboard, and a tape measure, Kevin was ready to see what he’d be able to access onsite.
The Engagement: On the morning of the engagement, Kevin started by creating an email account with a spoofed domain to impersonate the IT Manager. Using this spoofed email address, he emailed the office manager telling them to expect a contractor to be visiting the building. Once he arrived, he checked in at the front desk and let them know he was there to take some measurements for a building expansion. The visit was confirmed by the office manager, who received the spoofed email.
Kevin was escorted around the building, taking measurements and making comments about the electrical outlets, AC vents, and anything else to bore the employee into leaving him alone. It worked! After a few minutes, the employee told Kevin to find him if he needed anything and went back to his desk. Once left alone, Kevin was able to go into sensitive areas, like records storage, and inspect anything unsupervised. If he were a bad actor, he could have easily plugged in a malicious device, stolen data, or otherwise compromise the environment’s integrity.
Lessons Learned: Bad actors can easily find your locations, local businesses to impersonate, and purchase cheap domains to spoof internal employees.
- Never break escort policies when visitors are at your locations
- Always call the vendor’s corporate office to confirm the identity and badge number of an employee
- Be aware of public information about your organization that could be used in an attack
Kevin I.
Information Security Analyst
Learn More About Onsite Social Engineering
Social Engineering: The New Guy Isn't Bald
Most security awareness training is focused on external threats. But what happens when the threat seemingly comes from within?
Webinar: Onsite Social Engineering
Watch the webinar: We expect cyber attackers to send phishing emails and try to hack us from some remote location – but what about when they walk through your front door?
Remote and Onsite Social Engineering Testing for Your Organization
Both remote and onsite social engineering testing are crucial components of a robust security program. Here’s what you need to know.