© 2012 Deloitte Touche Tohmatsu
Social Engineering:
Hunt for the digital crown jewels
… using a door handle
TJ Dimkov
Deloitte Netherlands 31st of January 2012
© 2012 Deloitte Touche Tohmatsu PvIB Evenement
A new member
Requirements
Reliable
Repeatable
Reportable
Respectful for all actors
Realistic
Defending my PhD thesis at University of Twente in February.
Methodologies for physical penetration testing using social engineering.
The methodologies try to achieve Reliable, Repeatable, Reportable,
Respectful and Realistic penetration tests.
As part of the research, executed more than 30 penetration tests in University
of Twente and Technical University of Eindhoven.
© 2012 Deloitte Touche Tohmatsu
Agenda
3
• Information security revisited • Case
• Lessons learned
© 2012 Deloitte Touche Tohmatsu
Hacking and information
security revisited
© 2012 Deloitte Touche Tohmatsu
In a bold, systematic hit on a landmark Ventura Boulevard office building, burglars stole scores of computers from at least 60 of the 80 businesses there, taking machines containing sensitive legal documents, credit card numbers and the tax information of thousands of people, police said Saturday. Several business owners said they were taken aback by the brazenness of the theft, which deprived them of their computers but left behind other valuable equipment, including monitors, faxes, copiers and printers. Several concluded that the thieves' target must have been the information contained on their hard drives, not property
Police Lt. Jay Roberts said investigators are looking at people familiar with the building and its security system. Late Saturday, police were still determining the extent of the crime. The thieves did not ransack or damage the building. No one was injured.
"They systematically got into the offices," Abrams said. "It looks like they had a superkey.“ "It had to be somebody who knows that building," said Mary Hatcher, who runs several companies at the site. "It wasn't forced entry.
© 2012 Deloitte Touche Tohmatsu
Information is stolen by a combination of physical access and
social engineering
Security Policies Physical Security Unauthorized access Safety Digital Security Confidentiality Integrity Availability Physical Mechanism Safe Fence Door Digital Mechanisms Encryption Signature Firewall Awareness Simulation Seminar Security Awareness Social Engineering Computer Security Information Security© 2012 Deloitte Touche Tohmatsu PvIB Evenement
Information is stolen by a combination of physical access and
social engineering
How can we perform a complete (physical-digital-social) vulnerability
assessment of an organization?
•
Without disturbing the work flow process.
•
Without hurting/stressing anyone.
•
In a quantitative, reportable way.
© 2012 Deloitte Touche Tohmatsu
Case
© 2012 Deloitte Touche Tohmatsu
Methodology
10
Penetration testing approach
•Information gathering
• Gather publicly available information from the Internet.
• Google maps, Social networks, company website, outsourcing parties, forums •Reconnaissance
• Scout the facility and learn the security procedures that are in place. • Talk to people around the facility.
•Identification of vulnerable systems
• Search for potential vulnerabilities in physical controls, people and procedures •Exploitation
• Manual verification of vulnerabilities found • Find a path to the internal network!
Info gathering Reconaissance Vulnerability
© 2012 Deloitte Touche Tohmatsu
Methodology
What are the steps?
Setup Setup Behave normally 1 Behave normally 1 Initialize
Initialize Sign documents Sign documents
Select contact people Select contact people Select custodians Select
custodians information information Distribute Distribute
Execution Execution Behave normally 1 Behave normally 1 Scout
Scout Coordinator Coordinator approval approval approval approval Security Security Execute Execute Contain Contain
Collect logs Collect logs Closure Closure Behave normally 1 Behave normally 1 Collect equipment Collect equipment Report Report Debrief Debrief
Time
5 4 6 3 7 8 9 10 11 12 14 16 15 13© 2012 Deloitte Touche Tohmatsu
Physical penetration testing
© 2012 Deloitte Touche Tohmatsu
Physical penetration testing
© 2012 Deloitte Touche Tohmatsu
Lessons learned
© 2012 Deloitte Touche Tohmatsu
Surveillance cameras
•
Surveillance cameras are not used as alarming mechanisms
(1) the cameras are not mounted in offices, - privacy issues and cost effectiveness (2) the thief can easily conceal the laptop
(3) thieves usually know the position of the cameras and obscure their face,
(4) each of the bags might conceal a stolen laptop. if the persons are not caught on the spot and challenged by the security guards, the evidence from the surveillance camera can not be used against them.
• The surveillance system provides no help in stopping the theft and has limited usage in identifying the
© 2012 Deloitte Touche Tohmatsu
Access Control
•
We spotted three weaknesses of the access control in the
universities. Locks are usually bypassed because
(1) they are disabled during working hours
(2) the doors and windows where the locks reside are easy to force.
(3) the credentials are easy to steal or social engineer and because there are many people entering and leaving the area where the theft occurs, it is hard to deduce which person is the thief.
• Access control mechanisms deployed in the open institutions are mainly
used to deter opportunistic thieves, but provide no help against a determined thief.
© 2012 Deloitte Touche Tohmatsu PvIB Evenement
Security awareness of the employees
The thefts occurred because an employee
(1) left the laptop unattended in a public location (1) did not lock the door when leaving the office (2) opened door from offices of their colleagues,
(3) shared credentials or handed in laptops without any identification.
Even with strong access control in place, if the security awareness of the employees is low, the access control can easily be circumvented.
The main reason behind the failure of 67% of all failed penetration tests. In these cases, an employee
(1) informed the security guards for suspicious activities, (2) rejected to open a door for the tester,
(3) rejected to unlock a laptop without permission from the custodian (4) interrupted the tester during the theft
Employees are usually considered as the weakest link in the security of an organization. We observe that employees can also be the strongest link in the security of open organization.
© 2012 Deloitte Touche Tohmatsu
Questions and answers
© 2012 Deloitte Touche Tohmatsu PvIB Evenement
19
Risk Services
Laan van Kronenburg 2 1183 AS Amstelveen
TJ Dimkov
The Netherlands Senior Consultant Mobile: +31 61 099 9115Risk Services
Laan van Kronenburg 2 1183 AS Amstelveen
TJ Dimkov
The Netherlands Senior Consultant Mobile: +31 61 099 9115Risk Services
Laan van Kronenburg 2 1183 AS Amstelveen
Marko van Zwam
The NetherlandsPartner Security & Privacy Mobile: +31 62 127 2904 [email protected]
Risk Services
Laan van Kronenburg 2 1183 AS Amstelveen
Marko van Zwam
The NetherlandsPartner Security & Privacy Mobile: +31 62 127 2904 [email protected]
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's approximately 170,000 professionals are committed to becoming the standard of excellence. This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.