By Steve Stasiukonis
May 15, 2009
My firm, Secure Network Technologies, was recently hired by a large
healthcare provider to perform a security assessment. As part of the
job, my partner, Bob Clary, posed as an employee, similar to the
"Seinfeld" episode in which Kramer shows up and works at a company where
he was never actually hired.
The job included both an internal and external network examination. The
company had a significant number of internal systems, so being on the
inside to perform the needed scanning helped considerably.
The client also had moved into a new building and requested we test its
physical security and social-engineer our way into the building to
connect to the network. By leveraging the ability to be on the inside of
the network, our vulnerability scanning and testing of its network
security would be considerably more efficient.
So Bob entered the building as if he were just another employee. Unlike
other social-engineering efforts that require disguises, following the
company dress code of business casual seemed appropriate. Bob wore his
favored attire of blue jeans and t-shirt, accompanied by white sneakers.
When he entered the building on day one, he walked by security and rode
the elevator to the first available floor. Within minutes, he had
located an empty cubicle, connected his laptop, and started scanning the
network. On day two, he entered the building and successfully
commandeered another floor and cubicle. Within the next few days, Bob
was reserving conference rooms -- and in some cases, asking occupants to
leave when they overstayed their reserved time.
LayerOne 2009, Information Security for the discerning professional.
May 23-24 2009 @ The Anaheim Marriott in Anaheim, California
Visit http://layerone.info for more information