The Fundamentals of Intrusion
No matter the size of your business, there are assets and data you have on your premises that you need to keep secure from people outside of your organisation. Whether it’s hard copies of personnel data, server rooms, or safety-critical infrastructure, that information, or how to gain access to that information will likely have some value to bad actors willing to use or exploit it.
Whilst security cameras and locks can present a viable deterrent to an opportunist, they won’t always be up to the task against a well planned and targeted intrusion.
The attack won’t just start the moment someone comes onto your premises, they can start weeks or months before. A bad actor will start to gather as much intelligence on your company as they can through OSINT (Open Source Intelligence), a social engineering campaign through Vishing/Phishing and onsite reconnaissance.
Breaking things down a bit, what can the above intelligence gathering techniques provide a criminal trying to gain entry to your company premises?
Open Source Intelligence is everything about you that’s readily available to anyone online. This is your social media posts about staff parties, website blogs about your technologies and new business deals, and news articles about new premises. They all tell a story about your company. In this stage, the criminal wants to know where you are based, who works for you, your staff hierarchy, your security systems and your routines. In this phase, the bad actor will be looking at what ID cards you use if any, or the uniforms you wear, as these can all be replicated to use in an intrusion. They will look into whether a staff member is new, has had any grievances, has large debts or earns a high wage. With this information, they will look at who could be susceptible to bribery and manipulation.
Social Engineering has been mentioned in other blog posts from Pentest People. It’s the next stage after OSINT and can go further to building up a plan for a physical intrusion. Using the information gathered through OSINT, the criminal will now have the information to target your company with calls and emails to gain more information such as network login credentials, door access codes and what time your security guards come on shift. With well-designed emails and domain names, they could even organise meetings with members of staff or pretend to be from a utility company needing to upgrade substations or fibre optics.
The amount of time required for onsite reconnaissance will depend on the size of your premises, its location and how much information has been gleaned from the other stages of the intrusion.
In an ideal world, a criminal would want to spend little or no time near your premises before any intrusion due to the risk of being reported.
Depending on the value of the target, the lengths a criminal goes to observe your premises will vary. A simple walk past your building may just be enough to verify entrances, security guards or camera placements, however, a larger industrial unit may require tactics more accustomed to military personnel such as setting up a covert OP (Observation Point) where equipment such as night vision, thermal imaging cameras and long lenses can be deployed.
By physically observing your building, the criminal will be able to see whether they will be able to tailgate someone through a doorway, how diligent your security or reception staff are and observe any delivery routines. If your company has door locks, RFID access or CCTV, these will be looked at to see if they can be accessed or bypassed.
So whilst many intrusions can be a simple “smash and grab” operation, others can be extremely well planned operations utilising many different methods and taking advantage of the natural way humans fall into routine or willingness to be polite and hold a door open for someone in a rush.
The fact that these types of intrusions do happen, it doesn’t mean you have to create a fortress around your company or have guards patrolling your perimeter 24/7. There are some simple tactics your company can deploy to increase your security, staff awareness and reduce your threat landscape; some of these won’t cost you a thing.
So this takes us back to OSINT. Social media is immensely valuable to a company in regards to marketing so deleting your social media accounts is not an option. However, vetting pictures that are posted on there is. Before you post, check that you don’t have staff ID cards on show and documents or desktop screens are hidden. If possible, anything security related just shouldn’t be on show. This goes for any promotional videos the company may do.
Some phishing emails can be very primitive with an obviously dodgy looking senders address with a simple link in the main text designed for the curious to click. However some are extremely convincing, use spoofed domain names with links not pointing to the place they may suggest. They may mimic something you receive daily, or they may send you to a familiar login page such as outlook or office 365. With some open-source tools, a criminal can take your username and password.
Make sure you have a spam filter on your email inbox and check the URL of the sender. If it looks suspicious, don’t open the email and certainly don’t click on any links then flag it up to your IT department to check.
Be suspicious of anyone calling you directly asking you about what systems you use, asking for personal information or saying they are from 3rd party contractors. Don’t be afraid to question them or escalate it for further checks to find out the legitimacy of the call.
When staff are away from the building, do they need to have their ID cards on show or do need to keep their company car passes on display whilst shopping at the supermarket? Someone performing reconnaissance on your company will be looking for this and will attempt to forge these. When your staff are not on the premises, these things can be hidden from view.
It is common for security guards to wave people on they know without seeing any form of ID. Why trouble someone with the inconvenience of getting their ID card out if they know them? Not only is this bad practice, but it also gives the perception of weak security for anyone watching. A security guard physically checking all ID cards will show to anyone watching that they are diligent and that ID cards are being used for what they are designed for.
We are in general, a polite society and we like to hold doors open for people. This offers up the opportunity for a criminal to tailgate; the tactic of following someone through a doorway. This doesn’t mean your staff should shut the door in their colleagues’ faces, it should however be common practice to be aware of who is behind you when entering a premises. If it is someone you don’t know, you have a right to close the door behind you, perhaps politely requesting they use their ID card or ring a buzzer to reception if there is one.
The tactics mentioned in the article’s scenarios are not exhaustive but they demonstrate how a criminal can leverage what a company or member of staff does without thought on a daily basis. The remediation steps against these tactics mentioned are also not exhaustive but they go part way to making life difficult for a criminal and potentially giving you more time to raise the alarm and put more countermeasures and security in place.