'Kramer' Is In The Building

My firm, Secure Network Technologies, was recently hired by a large healthcare provider to perform a security assessment. As part of the job, my partner, Bob Clary, posed as an employee, similar to the "Seinfeld" episode in which Kramer shows up and works at a company where he was never actually hired.The job included both an internal and external network examination. The company had a significant number of internal systems, so being on the inside to perform the needed scanning helped considerably.

The client also had moved into a new building and requested we test its physical security and social-engineer our way into the building to connect to the network. By leveraging the ability to be on the inside of the network, our vulnerability scanning and testing of its network security would be considerably more efficient.

So Bob entered the building as if he were just another employee. Unlike other social-engineering efforts that require disguises, following the company dress code of business casual seemed appropriate. Bob wore his favored attire of blue jeans and t-shirt, accompanied by white sneakers.

When he entered the building on day one, he walked by security and rode the elevator to the first available floor. Within minutes, he had located an empty cubicle, connected his laptop, and started scanning the network. On day two, he entered the building and successfully commandeered another floor and cubicle. Within the next few days, Bob was reserving conference rooms -- and in some cases, asking occupants to leave when they overstayed their reserved time.

This madness continued for the next four weeks. When Bob was not scanning the network or trying to locate vulnerabilities, he started collaborating with employees. Within this short period of time, he was participating in birthday parties, pot luck lunches, and numerous other social events. Additionally, Bob was frequently seen rummaging through filing cabinets, taking pictures inside the facility, and moving floor to floor, working at his computer in different places.

As we neared completion of the engagement, the normal process of examining the results and writing the report took place. Approximately two to three weeks had passed, and we were ready to deliver our report to the customer. The client was appalled by the lack of building security. Although we had documented the physical security deficiencies with photographs, we were asked if we would go back and provide some hidden camera video footage. We agreed, and Bob returned to his former nonemployer the next day.

With no surprise, Bob easily entered the building, returning to the most common areas inside of the facility. Interestingly, he was greeted by several of his "co-workers," frequently asking him about his recent disappearance and whereabouts.

It wasn't just the building security that the client needed to worry about in protecting its digital and nondigital assets: Employees need to be conscious of the threat of an inside imposter. Bob's ability to work at this facility without raising suspicion was similar to Kramer's caper. But, unlike Kramer, Bob left the facility without being fired and returned to his real occupation as a security expert. He now holds the company record for going undetected inside a facility for the longest period of time.

Steve Stasiukonis is vice president and founder of Secure Network Technologies Inc.