Stories from the front lines of a physical breach attempter . . .
We’ve all seen phishing emails, spam calls and instant messaging scams, but what happens when social engineering breaks out of the cyber domain? In the physical domain, a sophisticated or highly motivated adversary can employ various in-person social engineering tactics to break into your organization and compromise information by taking advantage of the weakest link in information security: people. Here are some stories from the frontlines I have personally employed as a part of our physical breach attempts service.

The method of social engineering that yields the best results when we conduct physical bypass audits is impersonation/pretexting. This is when an adversary (or authorized tester) arrives under false pretenses and attempts to gain access to physical or network assets. In one case I arrived at a Client’s location with a backpack sprayer and a fake work order that was printed from a template found online. Once inside I greeted the person behind the desk and explained I was there for a routine bug spray and presented the work order. The sprayer, my attire, and work order granted me enough authenticity that the employee allowed me access to the inside and outside of the building. Impersonation and pretexts are successful because they give a seemingly legitimate reason for an adversary to be on site.
Another method I have employed is simply following an authorized person through an entryway, or tailgating. In cases where I must bypass a badged entryway, I use another person’s access to get through the door, piggybacking off of their credentials. Both of these methods of bypass allow an adversary access to a building, but are frequently halted if the person being followed is suspicious of the person following them in. In this case, a sophisticated adversary will follow up with a pretext or impersonation attempt to maintain access to physical resources without rousing further suspicion. The key to thwarting impersonation or piggybacking is the same as many security controls you already employ: authorization. Any time someone attempts to enter your organization their visit should be documented ahead of time, and employees should know who to contact to verify potential intruders to your organization.
Other methods I haven’t employed (or have yet to) are shoulder surfing and dumpster diving. Shoulder surfing is when an adversary watches a person’s computer screen for sensitive information such as organization charts, passwords, sensitive emails or any other information an attacker could use to inform further breach attempts. Dumpster diving is a similar (albeit more hands on) approach to gaining information by looking through trash for internal documentation, memos, or even passwords written on sticky notes that were hastily thrown away. Shoulder surfing can be avoided by ensuring personnel access information assets in a secure location that is free from wandering eyes. Dumpster diving can be mitigated by using secure trash services, document shredders, or switching sensitive documentation from physical paper to digital mediums.
In-person social engineering requires a highly motivated adversary, and a perceived high value target to justify the risk of withdrawing from the cyber domain. However, just because a threat is unlikely does not mean the threat is impossible. Having organizational policies in place to prevent unauthorized access can deter threats from an opportunistic adversary who is given information by chance and decides to use it for personal gain. Across your organization, encourage employees to verify visitors, and if your organization uses badges, ensure employees are comfortable asking each other for their badge if it isn’t visible. Additionally, ensure your acceptable use policies clearly prescribe secure procedures for accessing organizational assets, such as where and when they are prohibited from accessing sensitive information. Finally, you can put your policies and procedures to the test with an auditing firm, including infotex, that provides physical penetration testing services to ensure there aren’t unidentified risks in the case an adversary does come knocking.