Social Engineering For Hire

There’s an article in PC Magazine about a company called TraceSecurity that performs audits of physical security via social engineering.  Essentially, companies hire them to steal data, and they do so by simply talking their way into the facility and getting unrestricted physical access to the servers.

If a skilled attacker has unrestricted physical access to a machine, they can acquire all the data on the machine.  Database encryption can help quite a bit — unless they also get the system that contains the key to your database.  Since in many cases the database server sits in the server room right next to the middle-tier server that encrypts it, this is not necessarily much of a protection against true physical access.

To most people, it seems like it would be difficult to simply talk your way into a private facility and get left alone with the mission-critical servers, but really, I’m not surprised that TraceSecurity reports no difficulty getting abandoned anywhere short of a bank vault.  Daily life is based on trust — we assume that people are what they say they are and appear to be, because life is is impossible otherwise.  In addition, we encounter legitimate people so much more often than criminals that in a sense a criminal is a surprise every time.

Anyone who’s worked in a corporate office with badge-based security knows how easy tailgating is.  Wait for someone to swipe their badge and walk in right behind him — your chances of being challenged are very low, since people do it all the time and even people who originally challenged tailgaters have usually gotten tired of it within a few months (since it’s basically always just someone too lazy to get their badge out.)  What TraceSecurity does is pretty similar, with a dose of social engineering — just dress up as someone who belongs there, pretend to be someone who belongs there, and walk right in.

They tend to prefer pest-control services or fire marshals for their disguises (though they have to jump through a few legal hoops to dress up as a federal agent without committing a crime), though other penetration testers I’ve encountered favor telecom vendors.  If a company’s ISP is Verizon, they will think little of a Verizon technician showing up, and probably happily let him into a wiring closet or server room.

The bigger difficulty than getting in is getting left alone.  This is one area where simple surreptitious entry, like tailgating, is better than dressing as someone like a pest inspector or fire marshal who, in their normal jobs, you would not likely leave alone anyway.  Still, people at corporate offices are busy.  If one is following you around, dawdle long enough in non-sensitive areas and I’m not terribly surprised they get tired of wasting their day escorting you.  By the time you get to the server room, they swipe you in and get back to work.

This sort of penetration test makes the news, though, because it’s interesting and unusual.  Even TraceSecurity, which the article makes sound like specializes in this sort of assessment, offers a wide array of other security services.  A career exclusively performing on-site physical/social penetration tests may be limited to characters in Sneakers.  The main reason, though, is the perception of risk.

People see the security measures around physical intrusion.  The servers are in a locked room, in their locked building, surrounded by people who know each other, so getting in must be difficult.  On the other hand, most people have no idea how to hack into a server from the Internet, and thus have no way to gauge the risk other than the availability heuristic — and we hear about online break-ins and data leaks in the news all the time, so it must be easy.  This makes people inclined to overestimate the risk from network attacks (though, honestly, the risk is pretty high) as compared to from physical intrusion.

This said, another thing preventing physical attacks on servers is not the difficulty of the attack, but the simple dearth of people willing to carry it out.  Breaking into a building to steal something “feels” like crime, while just typing code into your keyboard is probably more easily rationalized — it’s the same reason why people who would never shoplift a CD happily copy music, despite the acts being legally similar.  Of course, there’s probably also a higher likelihood of getting caught in the physical intrusion — people have seen you.  This is a case where prevention is very hard but detection is less difficult.  It takes a special sort of person to be caught red-handed trespassing in a server room and still keep their cool well enough to get out of the situation without arrest.  Admittedly, this lowers the actual risk of attack — it reduces the threat, despite the presence of the vulnerability.

The usual solution posited to this sort of attack is user education — just teach people to be vigilant, ask to see badges of people they don’t recognize, verify the identity of service providers, call the fire department and ask if the fire marshal should really be here, etc.  However, in truth, this just won’t work.  TraceSecurity couldn’t get the bank manager to leave them alone in the vault — because people standing in a vault think about security, and know that a normal person might be tempted to steal when surrounded by cash.  But in a server room, where the potential theft may actually be much greater, it’s not what’s on their minds, and simple user education isn’t likely to change that.  Human beings trust each other, and criminals learn how to cultivate and play on that trust — a security awareness program isn’t going to change human nature.  What is necessary here is to worry less about prevention and more about detection and response.

When data is extremely valuable — say, personally identifiable information with credit card numbers, in bulk (20,000 records or more) — it shouldn’t be stored in a corporate office server room anyway.  You wouldn’t store $200,000 in cash in a closet in your office building, so don’t store something of equivalent value and easier to carry there, either.   Colocate the server in a secure datacenter, where it’s surrounded by people who are aware of security and under guard and camera.

However, for less-valuable data, instead of thinking about how to keep people out — a task that may be impossible — think about how to know they’re there and recover from the breach.  Methods like camera surveillance deter crime by making intruders believe themselves (rightly) more likely to be caught.  Use monitoring tools on computers to be able to determine if someone has gained physical access to them (an action which tends to result in the server going down for a short time) and investigate such alerts immediately.  Even procedural efforts like requiring people to sign in and out of server rooms can be helpful — if the sysadmin has to write down that he admitted three people to the server room and left them there, he’s more inclined to have security come to mind, and more likely to speak up later when you realize a theft has occurred.  In addition, do use encryption on valuable data — this ensures that if an intruder does walk off with the database file (or the hard drive it’s on), they’re less likely to be able to make use of it.  It may not be enough in the case of someone who breaks into your building and has all night to figure out where the key is, but it may be enough for the person who has 5 minutes to copy everything they can to a thumb drive before you come back with their cup of coffee.

attacks, physical security, risk

If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.