Security Lessons From Couple's White House Hijinks

Even the most stringent security procedures have failures. That fact was evident when the U.S. Secret Service learned a Virginia couple slipped into last week's state dinner at the White House.The couple was still subjected to all of the normal security screening procedures that guests go through, but they were not on the guest list; an investigation is under way to find out how they were admitted.

When I read the article about the incident, it was hard not to laugh a little. I know it's a very serious situation because they could have been there for malicious purposes, but this is a perfect example of the inevitable failures your security program will suffer no matter what steps you take. Here you have heads of state attending a dinner where physical security is of the utmost importance, and two uninvited individuals make it in without being on the guest list. Incredible!

The Secret Service had multiple layers of defense in place that made sure that even if someone got through, they wouldn't be carrying weapons; however, that doesn't mean the threat was neutralized. The same goes for network security. Just because a laptop has antivirus software and the latest software updates, it can still be a threat to your network as soon as it is plugged in.

A more analogous scenario (had the couple possessed insidious intent) is a malicious insider who brings in a laptop, passes a network access control (NAC) endpoint inspection, and then uses it to access sensitive information. Sure, the device underwent security screening, but that doesn't mean the attacker couldn't use native tools to get to his target.

In the network, this could be through network file shares or a Web browser accessing intranet sites. In the White House example, the tools (or weapons) could have been steak knives from the dinner table.

The other security-related point I wanted to cover is the use of social engineering to gain access. The couple's attack wasn't elaborate. They showed up wearing the proper attire, they knew where to go, and they acted like they belonged. It's no different than a penetration tester dressing up in a delivery person's or alarm technician's uniform to make his way into the target's offices.

While it could prove to be a costly stunt should the White House decide to pursue trespassing charges, the couple helped show a weakness existed that didn't require much effort to exploit besides the clothes and cost of transportation to the event. Just like with pen testing, the White House now has the opportunity to fix a vulnerability that has been documented through (unauthorized) testing.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.