It’s often said that your employees are the biggest threats to your cyber security. This usually refers to a lack of education leading to employees clicking on links in phishing emails or reusing weak passwords, giving cyber criminals a shortcut through your solid cyber defence strategy. While employees are becoming more cyber aware thanks to increased training, they still have one key weakness that attackers can exploit; they are still human. In any organisation, you want to hire polite and helpful employees, but that natural kindness can be exploited by some of cyber security’s more unexpected tactics. Cyber criminals are increasingly using employees as a way to bypass tough cyber defences, and you need to be ready for it.
At OmniCyber Security, we offer red teaming services that aim to replicate a full cyber attack, with no limits. We are often tasked with accessing a client’s physical offices as part of these engagements to test every angle of security. This is where human behaviour can best be exploited. In this article, we talk you through a few examples of where we have used employee politeness to our advantage to bypass stringent cyber defences.
Effective Pretexting
Pretexting involves the development of a believable character, reason, or motive to engage with employees at the target business. A suitable pretext is essential for any social engineering work. In a recent case study, we discovered that our client was undergoing significant building work at one of their sites. Awareness of the context of an organisation is crucial to tailored and effective pretexting. So is a Hi-Viz and a hard hat. People don’t usually question someone in a Hi-Viz, especially not with building work going on.
Our consultants used this classic disguise to full effect in this engagement, immediately getting access to the building from a helpful member of staff smoking outside the main entrance. Once inside, we could only access a conference room, as every door inside the building was on key card access. The Hi-Viz worked its magic again when two members of staff came in and wanted to use the room. They allowed us to continue our “tests” and even gave us the Wi-Fi password. Top marks for helpfulness, poor marks for security.
Moving on to the Head Office, we waited outside for approximately fifteen minutes until an employee arrived outside the building. We explained to them that we’d been at the other site running some tests and were looking to finish the job here. This again played on the context of the building work and the assumption that we would have been verified at the other site. Not having a proper sign-in process made our task much easier as it relied on employees to be assertive in stopping us rather than the helpful and kind people they were.
Our pretexting work allowed us to exploit employee kindness and eventually achieve Domain Admin access. If that had been a real attack, the consequences would have been devastating for the target organisation. It’s vital to introduce measures to prevent similar attacks, because cyber criminals don’t always wear a hoodie and sit in a dark room staring at a screen. Sometimes they wear Hi-Viz.
Recommendations to Combat Pretexting:
- Implement strict visitor management protocols, including verifying the identity and purpose of all individuals entering sensitive areas.
- Provide regular security awareness training to employees, emphasising the importance of verifying the legitimacy of unfamiliar individuals before granting access.
- Encourage employees to report any suspicious behaviour or requests for sensitive information, regardless of how legitimate the requester looks.
Social Media Intelligence Gathering
You would be surprised at how much information there is about your business on public-facing accounts. Social media reconnaissance is vital in gathering intelligence for physical access attempts during red team engagements. We regularly use publicly available information from social media platforms to build our understanding of the target organisation’s personnel and infrastructure.
In a recent engagement, our consultants conducted extensive reconnaissance on various social media platforms, including LinkedIn and TikTok, to gather valuable insights. Employees often inadvertently share organisational information in publicly accessible posts and videos. Our consultants used a photo showing an ID badge and lanyard to create convincing replicas, so they could move around the building without arousing suspicion.
The social media content surrounding this organisation also showed us potential entry points, security measures and Wi-Fi access points. These are crucial pieces of information to create an infiltration plan, so our consultants can do their job efficiently and with confidence. If we can discover this sort of information from your social media output in a simulated attack, so can the real attackers when they target your organisation.
Recommendations to Combat Social Media Reconnaissance:
- Educate employees about the risks of sharing sensitive information on social media platforms and encourage them to review their privacy settings regularly.
- Implement policies restricting the sharing of organizational information on personal social media accounts.
- Regularly monitor public-facing social media accounts for any unauthorized disclosures of sensitive information and take appropriate action to mitigate risks.
Tailgating into Secure Areas
Tailgating plays on your employee’s natural politeness to bypass secure entrances controlled by access mechanisms like swipe cards or keycodes. Following the social media research above, our consultants had ID badges and lanyards that would pass a glancing visual inspection but wouldn’t work on the badge reader they had also seen in other content.
When they arrived at the building to try to gain access for the first time, they simply joined the flow of employee traffic where everyone was holding the door open for each other, as polite people do. While it’s a nice gesture, it meant that no one had to scan their cards (real or fake) to get in. Our consultants used tailgating on two separate occasions to access the building in one day, and thanks to this and their duplicate IDs, they spent 5 hours in total in the offices completely undisturbed, even able to walk around and take pictures. That’s an incredibly dangerous situation to be in for the target organisation, especially as it only took some photos on social media and confidence to happen.
Recommendations to Combat Tailgating:
- Implement physical access controls such as turnstiles, access badges, and security personnel to prevent unauthorized individuals from entering restricted areas.
- Conduct regular security awareness training to educate employees about the risks of tailgating and the importance of challenging unfamiliar individuals attempting to gain access.
- Encourage employees to report instances of tailgating promptly and provide clear procedures for responding to such incidents, including notifying security personnel and initiating appropriate security measures.
The threat of a cyber attack is constant, and it’s not just a digital threat. We know that cyber criminals are exploiting human behaviour and social engineering tactics to breach your physical security and bypass your cyber defences. It’s crucial for businesses to not only invest in robust technical defences but also prioritise employee training and awareness programs. By implementing stringent visitor management protocols, emphasising the risks of sharing sensitive information on social media, and fostering a culture of vigilance and scepticism, organisations can significantly bolster their resilience against social engineering attacks. We know it can be difficult to fight the instinct to be polite and hold a door open or give someone the Wi-Fi password, but when the risk is this great and the cost is potentially so high, you can’t afford not to.
To test your own defences against a full cyber attack simulation, book a red team engagement with OmniCyber Security’s world class team now.
