Social engineering has always been a strange topic. If there’s something posted online about it, it’s either boring and no-one wants to read it, or it’s misconstrued as a “here’s how you can perform social engineering” tutorial. This post is to help individuals have a high-level understanding of social engineering and the impact it has on personal and organizational security. Just the mere idea that social interactions can be “hacked” from a technological approach is, in a way, unnerving, but many professionals rely consistently on predictable human behavior to collect information and gain access to restricted areas. This article will explore techniques for gaining restricted physical access to rooms and buildings for vulnerability assessment and security testing.[caption id="attachment_244846" align="aligncenter" width="500"] To "Mind Hunter" fans, you're welcome.[/caption] Before beginning, one must consider their appearance in the context of the situation. For example, dressing formally can help someone gain access to offices and corridors, acquiring a maintenance uniform can help solidify access to server rooms and building facilities, and donning a hospital uniform can aid with access into healthcare facility terminals. Scary, right? Once you’ve dressed the part, the consideration needs to be made about how one should move around the building. Walking with confidence and intent will lessen the likelihood that someone will question the unauthorized presence. Another option is that it is possible - or reasonable to assume - that someone can work covertly with people who already have access to the building.Tailgating is another popular technique used by professionals to gain access to secured buildings. This simply involves covertly following and entering a door opened by approved personnel. Again, assuming the ‘identity’ - not literally - of someone who is supposed to be there will allow you to do this without suspicion. A similar technique involves approaching the door with both hands/arms occupied by something like donuts or coffee. If timed correctly, another individual with clearance will likely help that person through the door to be polite.Let’s take a moment to stop here and make this point clear...
...being considerate when it comes to helping people in a secure building, especially unknown persons, is a security risk! Obviously, people will perceive it as rude if you close the door behind you, but keep in mind proper procedure for your situation and handle the issue accordingly.
Once you have access to the building, the aforementioned techniques can be used to further access other rooms, elevators, and restricted facilities and/or sectors of a secured area. Individuals with a plan do not waste time to risk getting caught, so it’s important to maintain vigilance. Many facilities with strict security may be on the lookout for these things.Finally, the unauthorized person has the ability to work within the confines of the building’s organizational function. A spoofed message or assumed identity can grant one access to spaces within the context of the building’s organization. For example, an individual could pose as a technician who needs to bring equipment to the server room. Any potential role or function the building could require can be considered for this approach. In this approach, most attackers will stick to more mundane and predictable things. It may be a technician, a low-key employee, an official delegate, an IT specialist, or even a consultant. This approach can be used in conjunction with other cybersecurity techniques to carry out a thorough security test.Is your organization or facility ready to be tested?