• No results found

Social Engineering: Hunt for the digital crown jewels using a door handle

N/A
N/A
Protected

Academic year: 2021

Share "Social Engineering: Hunt for the digital crown jewels using a door handle"

Copied!
20
0
0

Loading.... (view fulltext now)

Full text

(1)

© 2012 Deloitte Touche Tohmatsu

Social Engineering:

Hunt for the digital crown jewels

… using a door handle

TJ Dimkov

Deloitte Netherlands 31st of January 2012

(2)

© 2012 Deloitte Touche Tohmatsu PvIB Evenement

A new member

Requirements

Reliable

Repeatable

Reportable

Respectful for all actors

Realistic

Defending my PhD thesis at University of Twente in February.

Methodologies for physical penetration testing using social engineering.

The methodologies try to achieve Reliable, Repeatable, Reportable,

Respectful and Realistic penetration tests.

As part of the research, executed more than 30 penetration tests in University

of Twente and Technical University of Eindhoven.

(3)

© 2012 Deloitte Touche Tohmatsu

Agenda

3

• Information security revisited • Case

• Lessons learned

(4)

© 2012 Deloitte Touche Tohmatsu

Hacking and information

security revisited

(5)

© 2012 Deloitte Touche Tohmatsu

In a bold, systematic hit on a landmark Ventura Boulevard office building, burglars stole scores of computers from at least 60 of the 80 businesses there, taking machines containing sensitive legal documents, credit card numbers and the tax information of thousands of people, police said Saturday. Several business owners said they were taken aback by the brazenness of the theft, which deprived them of their computers but left behind other valuable equipment, including monitors, faxes, copiers and printers. Several concluded that the thieves' target must have been the information contained on their hard drives, not property

Police Lt. Jay Roberts said investigators are looking at people familiar with the building and its security system. Late Saturday, police were still determining the extent of the crime. The thieves did not ransack or damage the building. No one was injured.

"They systematically got into the offices," Abrams said. "It looks like they had a superkey.“ "It had to be somebody who knows that building," said Mary Hatcher, who runs several companies at the site. "It wasn't forced entry.

(6)
(7)

© 2012 Deloitte Touche Tohmatsu

Information is stolen by a combination of physical access and

social engineering

Security Policies Physical Security Unauthorized access Safety Digital Security Confidentiality Integrity Availability Physical Mechanism Safe Fence Door Digital Mechanisms Encryption Signature Firewall Awareness Simulation Seminar Security Awareness Social Engineering Computer Security Information Security
(8)

© 2012 Deloitte Touche Tohmatsu PvIB Evenement

Information is stolen by a combination of physical access and

social engineering

How can we perform a complete (physical-digital-social) vulnerability

assessment of an organization?

Without disturbing the work flow process.

Without hurting/stressing anyone.

In a quantitative, reportable way.

(9)

© 2012 Deloitte Touche Tohmatsu

Case

(10)

© 2012 Deloitte Touche Tohmatsu

Methodology

10

Penetration testing approach

•Information gathering

• Gather publicly available information from the Internet.

• Google maps, Social networks, company website, outsourcing parties, forums •Reconnaissance

• Scout the facility and learn the security procedures that are in place. • Talk to people around the facility.

•Identification of vulnerable systems

• Search for potential vulnerabilities in physical controls, people and procedures •Exploitation

• Manual verification of vulnerabilities found • Find a path to the internal network!

Info gathering Reconaissance Vulnerability

(11)

© 2012 Deloitte Touche Tohmatsu

Methodology

What are the steps?

Setup Setup Behave normally 1 Behave normally 1 Initialize

Initialize Sign documents Sign documents

Select contact people Select contact people Select custodians Select

custodians information information Distribute Distribute

Execution Execution Behave normally 1 Behave normally 1 Scout

Scout Coordinator Coordinator approval approval approval approval Security Security Execute Execute Contain Contain

Collect logs Collect logs Closure Closure Behave normally 1 Behave normally 1 Collect equipment Collect equipment Report Report Debrief Debrief

Time

5 4 6 3 7 8 9 10 11 12 14 16 15 13
(12)

© 2012 Deloitte Touche Tohmatsu

Physical penetration testing

(13)

© 2012 Deloitte Touche Tohmatsu

Physical penetration testing

(14)

© 2012 Deloitte Touche Tohmatsu

Lessons learned

(15)

© 2012 Deloitte Touche Tohmatsu

Surveillance cameras

Surveillance cameras are not used as alarming mechanisms

(1) the cameras are not mounted in offices, - privacy issues and cost effectiveness (2) the thief can easily conceal the laptop

(3) thieves usually know the position of the cameras and obscure their face,

(4) each of the bags might conceal a stolen laptop. if the persons are not caught on the spot and challenged by the security guards, the evidence from the surveillance camera can not be used against them.

The surveillance system provides no help in stopping the theft and has limited usage in identifying the

(16)

© 2012 Deloitte Touche Tohmatsu

Access Control

We spotted three weaknesses of the access control in the

universities. Locks are usually bypassed because

(1) they are disabled during working hours

(2) the doors and windows where the locks reside are easy to force.

(3) the credentials are easy to steal or social engineer and because there are many people entering and leaving the area where the theft occurs, it is hard to deduce which person is the thief.

Access control mechanisms deployed in the open institutions are mainly

used to deter opportunistic thieves, but provide no help against a determined thief.

(17)

© 2012 Deloitte Touche Tohmatsu PvIB Evenement

Security awareness of the employees

The thefts occurred because an employee

(1) left the laptop unattended in a public location (1) did not lock the door when leaving the office (2) opened door from offices of their colleagues,

(3) shared credentials or handed in laptops without any identification.

Even with strong access control in place, if the security awareness of the employees is low, the access control can easily be circumvented.

The main reason behind the failure of 67% of all failed penetration tests. In these cases, an employee

(1) informed the security guards for suspicious activities, (2) rejected to open a door for the tester,

(3) rejected to unlock a laptop without permission from the custodian (4) interrupted the tester during the theft

Employees are usually considered as the weakest link in the security of an organization. We observe that employees can also be the strongest link in the security of open organization.

(18)

© 2012 Deloitte Touche Tohmatsu

Questions and answers

(19)

© 2012 Deloitte Touche Tohmatsu PvIB Evenement

19

Risk Services

Laan van Kronenburg 2 1183 AS Amstelveen

TJ Dimkov

The Netherlands Senior Consultant Mobile: +31 61 099 9115

[email protected]

Risk Services

Laan van Kronenburg 2 1183 AS Amstelveen

TJ Dimkov

The Netherlands Senior Consultant Mobile: +31 61 099 9115

[email protected]

Risk Services

Laan van Kronenburg 2 1183 AS Amstelveen

Marko van Zwam

The Netherlands

Partner Security & Privacy Mobile: +31 62 127 2904 [email protected]

Risk Services

Laan van Kronenburg 2 1183 AS Amstelveen

Marko van Zwam

The Netherlands

Partner Security & Privacy Mobile: +31 62 127 2904 [email protected]

(20)

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's approximately 170,000 professionals are committed to becoming the standard of excellence. This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.

References

Related documents

Four categories of explanatory variables are taken as likely sources of documented changes in English commodity price dis-integration during this period: weather, trade, policy,

The interactive experience provided by this IPE event was an opportunity for students to practice professional collaboration around the topic of food intake, which is best

In summarizing the study of relationships of hog prices be- tween Chicago and the other markets used, for heavy, medium and light weight hogs, we found that, in

Other useful RecTrac reports provide managers the capability to track usage, patronage, nancial data, and demographics for marketing, budgeting, planning,.. and

In terms of evidence for a role for coagulation signalling in driving fibrosis in animal models, we and others have shown that anticoagu- lant strategies (e.g. direct

training” [59]. The title encompasses the content of the session. Clearly, public health deficiencies in veterinary education are recognized by the AAVMC and ASPH. Should the

AWAK shall invite applications, select and award scholarships to bright and needy Kenyan students joining or already in form one (1) in any public secondary school in Kenya

Outline 1 Introduction Problem Domain Orocos’ Solution Orocos History 2 Orocos Framework Building Applications Component API Component Development 3 Demo Application Setup..