A Case Study in How Hackers Use Social Engineering
In this case study, Ira Winkler, a professional social engineer, graciously shared an interesting study about how to hack with social engineering. This is a prime example of how not paying attention can get you hacked!
Mr. Winkler’s client wanted a general gauge of the organization’s security awareness level. Ira and his accomplice went for the pot of gold and tested the organization’s susceptibility to social engineering.
To start, they scoped out the main entrance of the building and found that the reception area and security desk were in the middle of a large lobby and were staffed by a receptionist. The next day, the two men walked into the building during the morning rush while pretending to talk on cellphones. They stayed at least 15 feet from the attendant and ignored her as they walked by.
After they were inside the facility, they found a conference room to set up shop in. They sat down to plan the rest of the day and decided a facility badge would be a great start. Mr. Winkler called the main information number and asked for the office that makes the badges.
He was forwarded to the reception/security desk. Ira then pretended to be the CIO and told the person on the other end of the line that he wanted badges for a couple of subcontractors. The person responded, “Send the subcontractors down to the main lobby.”
When Mr. Winkler and his accomplice arrived, a uniformed guard asked what they were working on, and they mentioned computers. The guard then asked them if they needed access to the computer room! Of course, they said, “That would help.”
Within minutes, they both had badges with access to all office areas and the computer operations center. They went to the basement and used their badges to open the main computer room door. They walked in and were able to access a Windows server, load the user administration tool, add a new user to the domain, and make the user a member of the administrators’ group. Then they quickly left.
The two men had access to the entire corporate network with administrative rights within two hours. They also used the badges to perform after-hours walkthroughs of the building. While doing so, they found the key to the CEO’s office and planted a mock bug there.
Nobody outside the team knew what the two men had done until they were told after the fact. After the employees were informed, the guard supervisor called Mr. Winkler and wanted to know who issued the badges. Mr. Winkler informed him that the fact that the security office didn’t know who issued the badges was a problem in and of itself, and that he does not disclose that information.
How This Could Have Been Prevented
According to Mr. Winkler, the security desk should be located closer to the entrance, and the company should have a formal process for issuing badges. Access to special areas like the computer room should require approval from a known entity, as well.
After access is granted, a confirmation should be sent to the approver. Also, the server screen should be locked, and the Windows account should not be logged on unattended. Any addition of an administrator-level account should be audited, and appropriate parties should be alerted.