Sometimes hackers can’t get everything they need remotely. Some companies do cyber security well and they keep their networks locked down. As a result, some hackers may attempt to penetrate a network by gaining physical access to offices to implant malware directly on computers or other corporate devices like smartphones.
Employees must be aware of unauthorized visitors in their corporate spaces. They must also be aware of their surroundings when conducting company business when out of the office.
- Physical Access
- Physical proximity
- Shoulder surfing for passwords, sensitive data. Hackers in public places (trains, planes, cafes, etc.) can view screens while nearby.
- Eavesdropping
- A business espionage classic. No equipment or skills needed. Just listen.
- Real world tests have demonstrated that focused but simple eavesdropping on in person and cell phone conversations in public places can allow attackers to determine enough personally identifying information to connect a person to their job, home, and family members. (https://www.mprnews.org/story/2019/03/11/npr-googling-strangers-one-professors-lesson-on-privacy-in-public-spaces)
- When you’re in public – you’re not necessarily anonymous!
- Social Engineering for unauthorized entry into controlled spaces.
- Once a person has made it past the turnstiles or locked doors, most employees assume they belong in the building.
- Attackers act like they belong in a location then steal data/equipment. They use the natural tendency not to confront people who may belong there (i.g. not asking to see someone’s badge going into a controlled door). They may even wear uniforms from a repair/extermination/construction company and claim to need to make repairs/spray for bugs/check on structural elements of offices etc.
- Badge copying
- Employees wearing their badges outside company property
- Attackers can wait at cafes near the target company and take pictures of badges when employees wear them in to get coffee. They can manufacture replicas and wear them in to gain access to the company office spaces to steal data
- Though the badges won’t have data access to doors, they can be used as props by attackers to get employees to open doors for them if their badge is “broken” (more social engineering at work).
- Controlled entry location piggybacking
- Attacker stands by doors waiting for employees to come out and hold the door or to go in right behind other employees.
- Attacker strikes up conversation with employees as they enter a controlled door or pass a guarded checkpoint.
- Employees wearing their badges outside company property
- MITIGATION: Don’t let people into secure spaces without verifying ID. Just say it’s policy you need to see ID for people you don’t know or call for a building escort.
- [Side note: Penetration testers: Not all people seeking access without authorization are attackers. Some are penetration testers, people hired by your company’s management to test the defenses of your company. In addition to doing on-line tests of your company’s website and sending phishing emails to test employees’ responses in a safe and controlled way, they also attempt to gain access to company office spaces without authorization to test the physical defenses of a company. They use social engineering to get past security guards, receptionists, and other staff. They may claim to be inspecting the building for security reasons or public health reasons. They may say they have the approval from unspecified managers or off-site locations. In short, they lie. They report employees who give them access outside of company policy. Even though it was just a test, sometimes those employees are disciplined, or even fired. Your best defense is to apply your company’s rules for granting access rigidly. Better to deal with an upset manager you don’t recognize who forgot his badge than to deal with HR when they tell you gave a pen-tester unauthorized access!]
- Wardriving/Warparking
- Early days of wi-fi attackers drove around neighborhoods with wi-fi antennae looking for unsecured wi-fi routers in homes (which was usually the default). Finding one, they would park outside of the home or office, access wi-fi to either download illegal information over the internet from a wi-fi site that wouldn’t be traced to them, to launch attacks on other computer networks, or to steal data from the computer network they had accessed from the parking lot. Almost all home wi-fi routers come with strong randomized default passwords now so this has diminished in neighborhoods, but it still exists in the corporate world.
- People or vehicles lurking outside of company facilities for a long period of time may be trying to gain access to a company’s wi-fi from a distance.
- [Example: Russian GRU officers caught stealing wi-fi in Belgium to get email addresses to later get info about what the WHO was doing about the Skripal attack.]
- A company’s secure network can sometimes be accessed through its less secure wi-fi or even through other systems that use wi-fi or Bluetooth for communication. Why care about unauthorized access to company wi-fi? Because some people won’t be online just for Youtube.
- [Example: Marhshalls was hacked through its wi-fi system by a hacker sitting in the parking lot of a Marhsalls store in Miami in 2006.
Knowledge check:
- Gaining unauthorized physical access to a facility can occur by (select all that apply)
- tail-gating
- shoulder surfing
- stealing or copying badges
- warskating
- picnic hopping
- If you don’t recognize someone at your company, you should do the following (select all that apply)
- tackle the individual and pin him/her down until security arrives
- ask the individual for their name and the nature of their business
- offer to escort the individual to where s/he needs to go
- quietly report the individual to security
- say nothing to avoid embarrassing yourself or the individual
- Shoulder surfing involves
- surfing on your shoulder
- looking over your target’s shoulder to identify what login credentials are being entered
- using a mirror over your shoulder to identify what your target’s login credentials are
- combining downward-facing dog with warrior 3 pose
- barrel roll while snowboarding
- Wardriving is the act of driving around looking for unsecure wifi access points (T/F)
- A company’s secure network can be accessed through the following (select all that apply)
- the company’s less secure wifi
- devices that use bluetooth
- the gym
- old equipment awaiting for destruction
- social engineering your way into the facility
GHOST Employee Handbook Policies
- Physical proximity mitigation – Be aware of people nearby. Don’t discuss sensitive corporate information outside of company offices. Use polarized screen covers on laptops when working in public on corporate information or position yourself so no one can see your screen.
- Social Engineering to gain unauthorized physical access mitigation – Question anyone in spaces you don’t recognize. Can be done in a friendly way. Can I help you? If no verification then state that you haven’t seen them there before. If still evasive, go directly to the point and tell them you are responsible for access to the area and you can help them register for the proper credentials. Don’t ask if someone has approved it unless you plan to contact that person on the spot, before the intruder has left. It only takes minutes to access sensitive computer data and just seconds to install malware via a thumbdrive.
Bottom line: if you’re worried about a bit of social embarrassment over questioning a new employee’s right to be someplace, or even a high level manager’s right to be there, imagine how you’d feel if it turns out that that person is a pen tester who will report YOU were the weak link that gave them access. Or worse – if it was an actual attacker who stole data or destroyed your company’s network. Mistakenly stop a boss and you may look like you really care about the security of your company’s network and data. Avoid stopping an attacker and you may lose your job.
- Badge copying mitigation –
- Don’t wear your badge outside of company buildings. Your barista will not be impressed!
- Report lost or stolen badges to your company ASAP.
- Controlled entry location piggybacking
- MITIGATION: Don’t let people into secure spaces without verifying ID. Just say it’s policy you need to see ID for people you don’t know or call for a building escort.
- Is your job so interesting that strangers might start talking to you about it as you walk into your building? If they claim to be employees but you’ve never seen them there – JUST SAY THAT! Never give access to unknowns, especially not to be polite.
- [Side note: Penetration testers: Not all people seeking access without authorization are attackers. Some are penetration testers, people hired by your company’s management to test the defenses of your company. In addition to doing on-line tests of your company’s website and sending phishing emails to test employees’ responses in a safe and controlled way, they also attempt to gain access to company office spaces without authorization to test the physical defenses of a company. They use social engineering to get past security guards, receptionists, and other staff. They may claim to be inspecting the building for security reasons or public health reasons. They may say they have the approval from unspecified managers or off-site locations. In short, they lie. They report employees who give them access outside of company policy. Even though it was just a test, sometimes those employees are disciplined, or even fired. Your best defense is to apply your company’s rules for granting access rigidly. Better to deal with an upset manager you don’t recognize who forgot his badge than to deal with HR when they tell you gave a pen-tester unauthorized access!]
- Wardriving/Warparking
- Mitigation – Be aware of vehicles that don’t belong to company employees or visitors. Be alert to people lurking in odd locations close to your office building.