To me, the scariest movies are ones where the ghost/monster/alien turns out to be someone we’ve come to know and trust. The same thing is often true with cyberthreats – the people who can do the most damage to your organization, whether intentionally or not, are your own employees. During Raxis red team engagements, company employees are one of the most reliable ways we have to gain access to the corporate network.
Believe me, after thousands of penetration tests over the years, Raxis has lots of stories – and I intend to tell some.
Next Wednesday, our friends at Curricula, an Atlanta-based cybersecurity training company, will launch their first annual “Curriculaville” remote cybersecurity summit. The free, one-day event starts at 11 AM and will feature a number of experts from the information security space. I’m proud to represent the Raxis team as part of a panel discussion entitled, “Scary Security Stories” that will begin at 1 PM.
This is the time of year for tales that send chills up your spine and raise goosebumps on your skin. If you haven’t trained your employees properly and put effective cyber defenses in place, well . . . let’s just say you might be in for a quite a fright.
The good news is that Raxis stories usually have happy endings. We might steal some passwords and take over your domain, but 99% of the time, we leave your soul intact. And, we’ll show you how to avoid the real bad guys who will take that and more if they can.
Please check out the link and sign up for this informative, educational event at Curriculaville. After all, hearing our scary stories might just keep you from living one of your own.
Brad Herring and Scott Sailors had the pleasure to present at the (ISC)² Atlanta Chapter Meeting last Thursday. The topic was on Social Engineering and understanding how the high success rates of social engineering impacts network security. Herring and Sailors shared the most common attack vectors, which include phishing, spear phishing, vishing, physical with a pre-text bias and physical with a technology bias.
The members were shocked at the 90% success rate Raxis sees with social engineering across all verticals and business size. Further sobering is the fact that, once Raxis gains access to an internal network, our team is successful in achieving an “impactful breach” 85% of the time.
Once the realization hit that determined and skilled hackers are commonly able to breach armed security, card keyed systems, numeric keypads and other physical controls, it became apparent the importance of achieving and maintaining a strong internal network security program.
This engaging meeting facilitated many conversations about physical security as well as the effectiveness of a mature phishing campaign. The group was able to heighten their awareness of the types of attacks to which businesses often fall prey, understand the behind the scenes actions that take place once credentials or access is achieved, and discuss meaningful remediation steps for combating these attacks.
An effective information security program is built upon a strong physical security strategy. After all, if an attacker can breach your physical security all of the network controls are more easily mitigated. On average our internal network penetration tests yield an 85% success rate. Once an attacker physically gains access to network connectivity, the chances of a data breach become exponentially higher. The role of a physical security strategy is to prevent an attacker from gaining tangible access to company resources so that secondary attacks are not possible.Raxis is frequently retained to test the physical security of corporations in various verticals. We utilize many techniques in our attempt to gain unauthorized access via highly technical approach vectors such as RFID badge cloning and IR cameras to simple social engineering pretexts.
We average an 85% success rate on internal network penetration tests
We commonly find that companies implement technology and processes that, on the surface, lend the impression of safety. Often, however, these controls are ineffective against a capable adversary, thus the net result is that the attack surface gains complexity without benefit, making the organization more vulnerable to targeted attacks.While some companies go to such lengths as employing security guards, both armed and unarmed, the presence of such personnel often provides a false sense of security. While they are excellent visual deterrents, security guards are only one component of a robust security strategy for physically safeguarding your critical data.Likewise, hi-tech security measures such as proximity cards and cameras often help an organization feel more secure, but the reality is these technologies add complexity and require additional resource overhead to maintain their effectiveness. Highly technical physical controls often can be hacked and, if not properly managed, sometimes leave a facility more vulnerable than it would be without them.Here is a sampling of the attack vectors we have employed in the past to circumvent physical security controls and gain unauthorized access to a facility:
Poorly Trained Employees / Employees with a Casual Approach to Security:
At the end of the day a company’s best defense is a well-trained and vigilant employee. The popular phrase, “if you see something – say something” is incredibly important. Employees know better than anyone else what is out of the ordinary – be it a suspicious package or a person. Employees need to be trained in secure practices, and given the authority to challenge or report anything or anyone that seems out of place.Often employees are lulled into a false sense of security through observational confirmation bias. They believe if someone has made it past the guard and is on the floor they must have permission to be there. This is reinforced by social behavior tendencies that make it uncomfortable to confront unknown individuals. A fundamental tenant of awareness training is to re-train employees to practice heightened vigilance in the workplace. Raxis consultants bypass guards and other countermeasures regularly while conducting engagements for our clients. In every one of those cases, if an employee had simply recognized us as being outside of the normal and challenged us to to confirm the legitimacy of our presence, our attempts at compromise would have been thwarted. The reality is that most individuals do not feel comfortable with confronting someone in an office setting. This is a behavioral tendency that social engineering attacks exploit to lend legitimacy to a given pretext.The better an employee is trained to question people and events that are unfamiliar, the more robust the organization’s security posture will become.
Proximity Badges
Many companies fall prey to the false sense of security that arises when using RFID proximity card access control systems. In practice, many of these systems can be easily hacked electronically without the employee’s knowledge.
For less than $600 and the ability to do a Google search one can obtain step by step instructions in making a weaponized badge reader that can be used to acquire an employee’s RFID badge data from a distance for later cloning.
In many cases, an old fashioned tumbler lock and key would offer greater peace of mind.
Lack of Photo Badging
To make matters worse, many companies that leverage badge access systems do not utilize personalized badges with employee photos. This may be due to a myriad reasons from budgeting to lack of headcount to manage such a program, to the level of effort to upgrade from legacy systems, or other business drivers. Even in environments where photo badges are prevalent, employees often do not take the time to verify that the photo on the badge is actually that of the person carrying it. Indeed, a surprising number of companies feel satisfied simply using a white proximity badge without any type of accompanying credentials.Proximity badges, if possible, should be paired with a photograph credential that validates the individual’s identity and indicates the level of access that person should be given. All visitors should have to sign in and in many cases be escorted while on premise.Even the most robust badging system is completely innefectual unless employees are required to use it consistently. The physical layout of the office reception area plays heavily into enforcing access policies. Along with the photo ID the form factor of the office should require that each person must pass through a checkpoint (even if it’s a receptionist) to show their ID and perform the badge swipe.
Unmonitored Cameras
The use of video surveillance systems is another means by which a false sense of security can manifest. In many cases, the cameras are either not functioning or are feeding directly to a DVR to provide investigative collateral after a security event has occured. The reactive use of surveillance systems negates the benefits of the added visibility they provide.The challenge is that most of the places we breach don’t even know we were there. We walk in, do our thing and exit. The company does not know to investigate because an incident response was never triggered; they were not leveraging their surveillance technology proactively.In many cases, if the company had security personnel charged with monitoring the cameras, a security breach could be stopped before it happened, rather than investigated after the fact when the damage has already been done.While cameras are an effective deterrent to many attackers, they must be used correctly and as part of a larger strategy lest they once again facilitate a false sense of security.
What You Can Do
The importance of awareness training can not be overstated. Understanding the role that company culture contributes to the level of employee vigilance offers critical insight into the implementation of any security training program.. The goal is not to make your employees paranoid or uncomfortable, but to help them develop a sense of situational awareness in the workplace. Empower them to report anything that is out of the ordinary and to know that it’s part of their job to do so. A formal security reporting process that is well understood will assist with streamlining response efforts. Recognize the limitations and vulnerabilities of your security systems. It is often said that security is a process. An effective security program encompasses dynamic layers of controls in which weaknesses are identified and mitigated through compensating controls.Test the effectiveness of your systems regularly. Utilize an outside assessment firm such as Raxis to partner with you and your team and assess your performance. Tests such as these are critical to understanding the strengths and weaknesses inherent in any security strategy and how to best utilize available technology to increase the organization’s resilience to attack.We hope you’ve found this article insightful. Below is a short video that illustrates a typical engagement for Raxis. This video will demonstrate some of the techniques employed to by Raxis consultants to infiltrate a facility, establish persistence, and exfiltrate sensitive information – all without the company being aware.
Most companies realize that you can spend millions on network security but one of the biggest gaps is the employee. The human element of a workforce can easily be exploited once you understand the basic psychology of human behavior. Most people at their very core simply want to be helpful. People generally want to be nice and are often concerned about what people think of them. We see this time after time when we are doing a social engineering engagement for our clients. Do you want to get into a locked door – load up with boxes and follow an employee, “Oh – can you hold that for me?” Really – who wants to be the person that says, “No – put down those boxes and struggle with it yourself.”? Looking for a password – phishing emails are all too easy to the naturally trusting person. With basic precautions the email looks legitimate, and many will click the email and, in the process, load malware giving a malicious actor full access to their computer. Physical security – many times this is a false sense of security. Often times security guards are hired for low wages and without extensive training. Certainly this is not always the case, but many times it is. While the visual effect of a security guard can be a deterrent, to the experienced person seeking to infiltrate your business it’s often a mild annoyance that simply requires a little more surveillance and planning.
One of the best ways you can strengthen the human element is to test the human element. Whether this is through an outside company or internal tests. People respond to real-life examples. You can teach seminars and send emails about social engineering with somewhat limited results. However, when someone actually falls for an infiltration scam, and they later find out it was a test and are told the results of the actions of the person who infiltrated the company – that lesson sticks.
Many times employees don’t understand the critical role they play in the security of your business. However, once they see first hand the potential results of their actions, it becomes much easier to tell the person with the boxes that they must go to the front door and sign in. It becomes more comfortable to call your IT department about an email – even if it seems to be okay.Regardless of your industry, real world testing simply makes your business stronger. What will you do this month to help your people learn how critical they are to your security?
