Keeping bad guys outTravis N.
In our previous blog post, we talked about how to protect your organization by keeping your company’s organization chart private. We encouraged you to adopt a policy to keep details
Physical security in a digital age
Does your company issue ID cards to employees? Chances are you do. Businesses today have learned that this is a great way to identify employees from visitors. But did you know they could be working against you and helping bad guys out?
Companies today are adopting a “closed door” policy. This means that even the main door to the business is locked at all times. Authorized employees can let themselves in, but visitors must be “buzzed” in. This policy is usually put in place because workplace violence is increasing. However, this policy can also stop attackers from getting inside your business just by walking in, pretending to be an employee, and leaving after either stealing data, planting remote hacking devices, or compromising security by obtaining security codes, stealing badges, or even passwords.
Employee ID badges are one piece of intellectual property your business has that typically leaves your facility and can be in view of anyone to steal. This little credit card-sized piece of PVC could easily fall into wrong hands at any time.
Protect the badge
At one office, a gentleman stepped off the elevator with a woman who was carrying some boxes. The gentleman could see the woman was in distress carrying a few of these heavy boxes into the office, as she struggled to have her badge read by the card reader. It eventually beeped and the gentleman offered to hold the door for the lady. After all, those boxes looked heavy! He offered her assistance carrying one of them and she of course said, “Thank you!” After leading the gentleman to her desk where he dropped off the box for her, he started to blend into the crowd of the hustling office.
The gentleman found a vacant office and something caught his eye. Sitting right on the desk was an employee’s ID. Thinking quickly, he snatched it. He quickly found a copy room which had a few supplies he needed: a paper cutter, scissors, and some clear packing tape. The man pulled out a photo of himself against a white background – standard for many HR departments. He quickly cut his photo to size, placing it over the photo of the employee whose badge he stole. Using the clear packing tape and scissors, he trimmed it to fit just right and placed it back in the badge holder. This man was now an employee without HR’s knowledge.
Free range hacker
Over the next hour or so, the man posed as an employee. He wore the badge on a lanyard around his neck. No one was suspicious as he had an ID. After all, someone who wasn’t an employee wouldn’t have an ID. He found a back entrance to the office and placed the badge against the reader. It beeped, and the light turned green meaning the door would unlock for him. He took out a notebook and wrote it down. Then, he went around to find more locked doors with badge readers to see what he should be able to access. He was surprised to learn he could access all of them.
As he was passing by a conference room, he noticed a lot of people who looked like management filing in. It was a large meeting so he decided to go right in. He found a seat near the back of the room where a lot of other managers were at. He took out his notebook and paid attention to the speaker and occasionally made some side comments with other managers to lower suspicions.
At the end of the nearly half an hour meeting, one manager started giving the man a weird look. Feeling the stare, he started to pack up his things to bolt. The other manger asked another manger, “Hey, who is that guy? I haven’t seen him here before.” The other manager responded, “I’m not sure. Must be new.”
The manager decided to confront the stranger but he was already heading down the hallway. “Hey! Excuse me!” he shouted but the man just kept walking. “HEY! YOU! STOP!” and this got the man’s attention. He jolted to a stop, turned around with a confused look on his face and pointed at himself and mouthed, “me?”
The manager approached him and questioned the man. He asked him who he was and he said he was a new IT manager. The manager looked shocked. “Oh really? Can I see your ID?” and the man obliged and handed over the stolen ID. “Can you come with me real quick?” the manager asked. They headed over to the head of HR. After some digging, HR did not recognize the man. They pulled the ID out of the holder and noticed the tape. Peeled it off to find the original employee’s photo.
The man got scared and quickly confessed. He was not an employee. He found the badge in an office that was unattended. And, that he was part of a red team that the company had hired to perform a physical penetration test. It turned out the manager who caught him was the actual IT manager. They went up to his office and discussed the outcome of the penetration test. It was found the man was roaming around the office for a few hours now – more than enough time to plant remote devices on the network, plant bugs and other hacking tools. He shared how he was able to get in and it was found that although this company had a closed-door policy, a helpful employee was kind enough to give him access without checking that he was supposed to be there as reception had stepped away from the desk.
Lessons to be learned
This was just one story of a physical penetration test and one method: simply swiping an ID, not on an employee. Another method of attack is by making your own badge. Just go to a local bar or restaurant during lunch hour or happy hour. Look at how many IDs are visible. An attacker can take a quick photo with a smartphone while “pretending” to check the latest sports scores or typing up a quick email. Using an inexpensive RFID capture tool, someone can brush up next to you while on their way to the bar or restroom and can later clone a badge only with their name and photo.
When in the office, employees should have their IDs on them at all times. They should not take it off. Employees who see someone in the office without an ID should question anyone they discover and escort them to the front desk or human resources or out of the office. When out in public for lunch, happy hour, or even commuting on public transit, company IDs should not be visible. They should be hidden in pockets, purses, backpacks, briefcases, or otherwise not visible to wondering eyes. Preventing employee impersonation can protect your critical business systems.
Also, invest in a card printer that prints a hologram overlay on the card. It makes it easy to spot fakes.