2KKUU7ita
2KKUU7ita
2KKUU7ita
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Chapter 5: Social Engineering<br />
A case study in social engineering with Ira Winkler<br />
In this case study, Ira Winkler, a professional<br />
social engineer, graciously shared an interesting<br />
study in social engineering.<br />
The Situation<br />
Mr. Winkler’s client wanted a general gauge<br />
of the organization’s security awareness level.<br />
Ira and his accomplice went for the pot of gold<br />
and tested the organization’s susceptibility to<br />
social engineering. To start, they scoped out<br />
the main entrance of the client’s building and<br />
found that the reception area and security desk<br />
were in the middle of a large lobby and were<br />
staffed by a receptionist. The next day, the two<br />
men walked into the building during the morning<br />
rush while pretending to talk on cellphones.<br />
They stayed at least 15 feet from the attendant<br />
and simply ignored her as they walked by.<br />
After they were inside the facility, they found<br />
a conference room to set up shop in. They sat<br />
down to plan the rest of the day and decided<br />
a facility badge would be a great start. Mr.<br />
Winkler called the main information number<br />
and asked for the office that makes the badges.<br />
He was forwarded to the reception/security<br />
desk. Ira then pretended to be the CIO and told<br />
the person on the other end of the line that he<br />
wanted badges for a couple of subcontractors.<br />
The person responded, “Send the subcontractors<br />
down to the main lobby.”<br />
When Mr. Winkler and his accomplice arrived,<br />
a uniformed guard asked what they were working<br />
on, and they mentioned computers. The<br />
guard then asked them if they needed access<br />
to the computer room! Of course, they said,<br />
“That would help.” Within minutes, they both<br />
had badges with access to all office areas and<br />
the computer operations center. They went to<br />
the basement and used their badges to open<br />
the main computer room door. They walked<br />
right in and were able to access a Windows<br />
server, load the user administration tool, add a<br />
new user to the domain, and make the user a<br />
member of the administrators’ group. Then they<br />
quickly left.<br />
The two men had access to the entire corporate<br />
network with administrative rights within two<br />
hours. They also used the badges to perform<br />
after-hours walkthroughs of the building. While<br />
doing so, they found the key to the CEO’s office<br />
and planted a mock bug there.<br />
The Outcome<br />
Nobody outside the team knew what the two<br />
men had done until they were told after the fact.<br />
After the employees were informed, the guard<br />
supervisor called Mr. Winkler and wanted to<br />
know who issued the badges. Mr. Winkler<br />
informed him that the fact that the security<br />
office didn’t know who issued the badges was<br />
a problem in and of itself, and that he does not<br />
disclose that information.<br />
How This Could Have Been Prevented<br />
According to Mr. Winkler, the security desk<br />
should be located closer to the entrance, and<br />
the company should have a formal process for<br />
issuing badges. Access to special areas like the<br />
computer room should require approval from a<br />
known entity, as well. After access is granted,<br />
a confirmation should be sent to the approver.<br />
Also, the server screen should be locked, and<br />
the Windows account should not be logged on<br />
unattended. Any addition of an administratorlevel<br />
account should be audited, and appropriate<br />
parties should be alerted.<br />
Ira Winkler, CISSP, CISM, is founder and president<br />
of the Internet Security Advisors Group.<br />
You can find more of his case studies in his<br />
book Spies Among Us: How to Stop the Spies,<br />
Terrorists, Hackers, and Criminals You Don’t<br />
Even Know You Encounter Every Day (Wiley).<br />
67