A client recently asked us to gain access to its facility and attend a meeting of the board and executive management. Here at Secure Network we've been asked to gain access to numerous networks via social engineering techniques, but this job seemed rather unachievable at first. Turns out it was easier than we expected.

Steve Stasiukonis, Contributor

September 14, 2009

4 Min Read

A client recently asked us to gain access to its facility and attend a meeting of the board and executive management. Here at Secure Network we've been asked to gain access to numerous networks via social engineering techniques, but this job seemed rather unachievable at first. Turns out it was easier than we expected.The client indicated a concern for data loss prevention -- it has protective measures in place for data leaving the network or being taken from a stolen laptop. But concerns about corporate espionage and intellectual threat occur at all levels, and our client thought it should start top-down. It gave us a five-day window for doing the job, and the rules of engagement required us to gain the intelligence needed attend the board meeting. If successful, we were asked to record the meeting and then escape undetected.

We prepared for the effort by performing some simple reconnaissance. The client's office was located in a 30-story office building where it occupies five of the floors. The lobby was secured with a guard desk, and visitors were required to sign in and then wave a proximity card for elevator access.

We had to find a way to get details on when the meeting was being held without arousing suspicion. While checking out the perimeter of the building, we noticed a large limousine parked in front of the building. I approached the limo driver and pretended to be an office worker at our client's company. While making conversation with him, he indicated the hotel he was going to, hired for transporting executives for our client's company. I had now confirmed where the execs were staying, but, more important, a way to determine when to follow them into the building. During the recon of the building, we located the designated smoking area. While having a cigarette with one of the employees, I was able to derive the floor of the meeting room.

My partner and I made arrangements to stay at the same hotel our executives were staying. When checking in, we represented ourselves as employees of our client. We took advantage of the corporate rate, but, more important, we were considered employees. Creating some friendly conversation with our desk clerk, we asked if some of our colleagues had checked in so we could call them to have drink in the bar. After mentioning a few names, our desk clerk asked us if we just wanted a list of who was staying from our company. To our disbelief, she handed over a list of names. Although no room numbers were included, the list was more than I expected.

I stationed myself in the hotel lobby waiting for our limo driver to return our executives for the evening. When they arrived, one of the people in the car spoke to the bell captain. Later that evening, I struck up a conversation with him and found our client would be departing the next day at 8:30 a.m. The following day, I positioned myself at a coffee shop across from our client's building. When the limo arrived, I made my way toward the building. To circumvent the proximity card system, I tailgated the entourage of executives and then rode the elevators to the floor they were on. I then located an area to sit without raising any suspicion, started my laptop, and proceeded to the break area to get a cup of coffee.

As I traveled through the office floor, I found a sitting area that was located next to the executives' meeting room. Incredibly, the sitting room was enclosed in glass and had full view of the meeting. I obtained a newspaper and some manila folders, and created the appearance of working. I removed my coat and positioned it so the button camera could video the presentation. After 45 minutes of filming, my objective was complete. Corporate slides of projected earnings, strategies, shortcomings, and a variety of other sensitive pieces of information were captured. My departure from the building was as easy as when I entered, carrying data that could potentially prove harmful to the company if in the wrong hands.

Within two days, a collection of seemingly disparate, innocuous pieces of information easily allowed the breach of this company's perimeter and the "loss" of corporate information.

Data loss prevention technologies are quickly evolving and becoming the hot topic of discussion for information technology departments. Our test clearly proved that technology itself is not a remedy. The ability to safeguard the numerous formats of data will continue to be a challenge for all organizations. Leveraging numerous technologies, educating employees, and hardening physical controls will all continue to play an important role for years to come.

Steve Stasiukonis is vice president and founder of Secure Network Technologies Inc.

About the Author(s)

Steve Stasiukonis

Contributor

Steve serves as president of Secure Network, focusing on penetration testing, information security risk assessments, incident response and digital investigations. Steve has worked in the field of information security since 1997. As a part of that experience, Steve is an expert in social engineering and has demonstrated actual social engineering efforts involving pretexting, phishing and physically financial institutions, data centers and other highly secure operations and facilities. Steve has contributed to Dark Reading since 2006.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights