This account illustrates how excellent acting skills and technological know-how can be combined into social engineering attack

QUOTE: How long would it take for an attacker to break into a business? Get on the corporate network as an authenticated user? If you think it would take a few days or even a few hours, you are way, way off.  Try 20 minutes.

It took David Jacoby, a senior security researcher with the Global Research and Analysis Team at Kaspersky Lab, three minutes to sneak into the building, four minutes to get network access, five minutes to get authenticated access to the network, and ten minutes to install a backdoor onto the corporate network. He was able to download and walk away with “gigabytes of data” from the company, he told attendees at last week’s Kaspersky Lab Security Analyst Summit. Jacoby was invited by a company come in and tests its defenses. As it turned out, he didn’t need any fancy hacks or zero-days to get through. It was all social engineering. “They spent so much money [on security], and I still got in,” Jacoby said.

Being Nice to Tailgaters – The company required employees to use a badge to enter and leave the building. Jacoby waited for other employees to go inside, and just hurried in after them. Most people want to be polite and will hold the door open if someone is going in at the same time—something most tailgaters take advantage of. Jacoby went a step further, in case the employee thought to ask to see the badge. He dressed up a bit to look a little managerial and held a cell phone up to his ear as if he was having a conversation with someone. As he was going through the door, he said, “I am right in the lobby. I will be up in a minute.”  No one will interrupt a phone call, and if you convey the impression that you are someone important heading off to meet someone important, most people won’t stop to question you, Jacoby said.

Next Step of Finding Connection – he went straight to the printer room, where there is invariably a network hub for the printer. He plugged his laptop into the hub and as easy as that, he was on the network. Getting on the network as a valid user took more talking than hacking. Jacoby found an employee sitting next door to the printer room and explained he was having trouble with the network. He asked if he could borrow the employee’s computer. When he sat down, the employee was still logged in, which meant he could do whatever he wanted on the network.  At this point, he installed a backdoor on the network, giving him full control. He no longer needed the employee’s computer or credentials.

Exploring Vulnerabilities – After getting access to the network, Jacoby found that the network was segmented incorrectly, so sensitive systems were easily accessible. He found outdated and vulnerable software. He also found 300 user accounts with passwords set to never expire. All these things made his job, as an attacker, much easier.  Think like an attacker. You will be surprised at just how vulnerable your organization may be.