Sometime clients call us to help them make a business case. Other times, they call us to dismantle one.
We got one of those dismantling calls recently from a manufacturing concern that had been acquired by a larger holding company. Our caller's new boss took a look at the security systems and tools of his new business unit. Without any due diligence, the new boss decided the unit had more than enough security (maybe too much?) and promptly cut off spending.
Our client, the smaller entity's CIO, was a pretty straightforward guy and insisted on a "no rules" scenario -- he would provide no external addresses to scan, no phone numbers, nothing. In his words, "Just break in."
I know he assumed we would be staying up late at night, drinking liters of coffee and soda, and trying to leverage every known exploit and technique to compromise their network perimeter. The test was supposed to be held in confidence. Unfortunately, a reliable source told us that the network security people were waiting for us, monitoring network activity, and locking down devices and services that could serve as an entry point into the network.
We started by scanning the network perimeter, looking for anything we thought we could leverage. Then we decided to see if we could find a modem kicking around the office. There were only a few published numbers in the local phonebook, but we knew several hundred employees worked at the facility. But we remembered from a previous site visit that an employee directory was available in the lobby. We decided to grab it and use those phone numbers for dialing.
The next day one of our crew made his way into the lobby of the building. Posing as a lost businessman, he asked the receptionist for directions to another business in the area. As she provided directions, a handwritten map, and a litany of other worthless data, he was able to lift the company phone book from her desk.
That evening we loaded up the war dialer and started dialing all the phone numbers in the directory. We even dialed a hefty range of numbers that may or may not have belonged to the company, in hopes we would stumble on something. It takes about a minute for every number dialed, so this takes a considerable amount of time. Our results were pathetic; we didn't find anything, and we woke up a lot of people with our extra guesses.
At this point, we started to think the IT department was unplugging equipment, intentionally making our job tougher. We decided to pose as businessmen, gain entry to the building, and leverage the network from the inside. Dressed in my best suit, I entered the reception area and requested a person that I knew was not in the building. (I'd called earlier to confirm that they were out for the day.) When the receptionist indicated that my contact was out, I insisted that the person had changed his plans and intended to meet me at their facility.
Told to wait while she sorted it out, I asked the receptionist if I could sit in an adjacent conference room to make a phone call. She allowed me in, and even let me close the door for privacy. As soon as the door was shut, I scoured the room for a network jack. I found one behind a movable cart used to support a television, video tape player, and a variety of cables and surge protectors -- a big, tangled mess.
From my briefcase, I pulled out an inexpensive wireless access point and plugged it into the conference room network connection. My assumption was they were running DHCP, which they were, so my device got an address. I hid the device behind a myriad of cables on the cart and proceeded to make my getaway; as I opened the door the receptionist stood there, blocking my exit. I assumed I was caught and going to be detained by security.
To my surprise, she handed me a cup of coffee and apologized for the wait. Trying to maintain my composure as if I had done nothing, I drank the coffee, thanked her, and made my way to parking lot.
From my car I connected to the planted wireless AP. To protect the customer, we secured the AP with the wireless encryption protocol (WEP) and restricted it to my MAC address only. With minimal effort and a free coffee to boot, we had successfully penetrated the network.
We shared our results with the client -- and couldn't discern if he was pleased or peeved that we'd actually been able to break into his network. We don't know if he got back his budget or autonomy. But as much as the organization tried to lock down the perimeter, there are just some attacks you can't combat, or think to combat. The customer did flash on the potential for similar kinds of attacks by his own staffers and other insiders. Maybe the fact that an outside consultant could crack the nut with so little effort was sufficiently persuasive to convince his new boss not to take away his budget.
Every company has to decide for itself the difference between security that's good and security that's good enough. It's going to be different for every organization, and as our client found, business units inside the same enterprise aren't likely to see eye to eye on this either.
Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading