How confident are you that your organization’s physical security measures can withstand real-world threats? Onsite penetration testing, commonly called red teaming, is one method of determining the strength and effectiveness of your physical security controls. These pen tests simulate real-world attacks to assess the vulnerability of your physical locations — such as data centers, offices, manufacturing facilities, and critical infrastructure. Pen tests are not conducted with malicious intent, but rather to identify vulnerabilities in an organization's physical security measures.
But it's not all about picking locks and bypassing security systems — a large part of an onsite physical penetration test involves social engineering. According to Pinkerton’s pen test metrics, nearly 80% of tests “fail” due to the human element — our agents successfully gain access to the target facilities using these methods. Interestingly, we find that only about 8% of pen tests fail due to ineffective security measures.
What is social engineering?
Social engineering is a tactic used to exploit the vulnerabilities of human psychology. By leveraging this approach, infiltrators can gain unauthorized access to sensitive information and carry out harmful actions. And by creating emotions such as trust, urgency, kinship, authority, stress, or pity, infiltrators manipulate victims into taking risky actions.
While tactics like spear phishing, vishing, water-holing, and baiting* are often employed in digital or cyber social engineering attacks and often as precursors to a larger-scale cyberattack, an infiltrator attempting to breach a physical site or facility is more likely to use pretexting and tailgating.
Infiltrators fabricate a scenario, or pretext, to gain the trust of an organization’s first line of defense, such as security personnel or receptionists. An infiltrator might pose as a legitimate entity — such as a co-worker, police officer, bank official, delivery person, job applicant, or technical support, to manipulate employees into providing sensitive information or granting access to restricted areas.
Tailgating, also known as piggybacking, involves an infiltrator seeking to gain entry to a restricted area without proper authentication by following closely behind an authorized individual. An infiltrator often relies on the courtesy or distraction of the authorized individual, who holds the door open, not realizing they are allowing access to an unauthorized person.
These two tactics are used by both real-world bad actors and Pinkerton red team agents alike. Pretexting and tailgating pose significant security risks, often underappreciated in their magnitude.
What are the typical stages of social engineering?
The social engineering cycle consists of four stages.
1. Information gathering and surveillance
At this stage, an infiltrator would collect crucial data via OSINT (open-source information) such as names, job titles, email addresses, company security badges, or personal information from publicly available sources. This information enables them to personalize their approach, make phony organization security badges, and establish credibility.
Next, the infiltrator would conduct reconnaissance to gather information about the facility. This might include studying building blueprints, noting guard schedules, and identifying high-traffic times. It also might include walking around the facility to visually identify potential vulnerabilities like poorly lit areas, hidden corners, surveillance cameras, overgrown landscaping, faulty security fencing, or unguarded access points.
2. Building rapport
Once armed with gathered information, the infiltrator builds a relationship by posing as a trustworthy individual. They employ various techniques to create rapport, such as using familiar language, dressing a certain way to complement the ruse, referencing shared interests, or exploiting authority figures.
3. Request for information or action
Having established a sense of trust, the infiltrator skillfully manipulates the victim into divulging sensitive information or performing an action.
4. Outcome
If the victim falls prey to the infiltrator's ploy and performs the desired action, the infiltrator achieves their objective. This success could result in unauthorized access, compromised security, stolen data, or fraud.
Some examples of social engineering scenarios
When it comes to penetration testing, highly skilled professionals think and act like real-world infiltrators. This realistic approach enables organizations to gain firsthand experience in responding to various threats, fostering resilience and preparedness among their personnel.
Mark aims to gain unauthorized access to a renowned tech firm's corporate headquarters. His strategy revolves around posing as a job applicant.
Mark started by conducting thorough online research about the company, its hiring process, and the roles it's currently hiring for. He finds out that the company is hiring for a role he has some knowledge about, which makes his act more convincing. He crafted a compelling story, highlighting skills and experiences that make him an attractive candidate.
When Mark arrived at the tech firm’s corporate headquarters, he presented himself as a job candidate. Mark was able to persuade the front desk personnel that he was a job candidate by creating a sense of urgency that is he running a little late and using the name of a department head who would be conducting the interview. Mark was issued a visitor's badge and was allowed to wait in a common area before the interview. While waiting, Mark excused himself to use the restroom but instead entered restricted areas where he gained unauthorized access to important company information.
She mentioned specific company contacts and used industry jargon to make her story more credible.
In a different scenario, Alice targets a mid-sized corporation that’s about to release a product. She wants to gain unauthorized entry to the company's secure facility to plant surveillance equipment for a competitor.
During the research phase, Alice discovered that the corporation frequently uses contractors for maintenance work. She decided to pose as a maintenance worker and crafted a believable story. She called the front desk of the corporation, introducing herself as a tech scheduled to perform an unexpected yet critical inspection of the HVAC system. She mentioned specific company contacts and used industry jargon to make her story more credible.
Dressed in a typical maintenance tech uniform and equipped with a toolbox for added credibility, Alice arrived at the corporation’s facility. She confidently approached the front desk, reminded the receptionist of the call, and requested to be let in to perform the inspection.
In this scenario, Alice’s pretext was convincing. Once she bypassed the organization’s first line of security, she was able to successfully carry out her mission.
He approaches the secure entrance and pretends to search his pockets for his security badge.
Would-be infiltrator Tom, on the other hand, targeted a large corporate office during the morning rush hour, a time when employees are hurrying into work. He planned to exploit the chaos by tailgating through security. This high-traffic period increases his chances of blending in with the crowd.
Tom dressed to look like an employee, in a suit, with a coffee cup and pile of paperwork in hand. He approached the secure entrance and pretended to search his pockets for his security badge, showcasing a look of frustration and urgency.
Spotting an employee about to enter, Tom approached them, explaining with a charming smile that he’d left his security badge at home. He apologized for the inconvenience and asked if he could enter with them, emphasizing that he was running late for an important meeting.
The unsuspecting employee, empathizing with Tom's predicament and swept up in his charm and apparent urgency, allows him to tailgate through the secure entrance.
These scenarios highlight the need to educate employees about security policies and have stringent visitor protocols and restricted access measures in place.
Not every attempt to breach a facility will be successful. Regardless of success or failure, pen tests are always beneficial for the client. It provides an opportunity to assess the effectiveness of their security measures and identify potential improvements. It's important to remember that threats persist, bad actors will continually seek ways to gain entry. If social engineering does not work, they will attempt other methods, so clients undergoing penetration testing anticipate multiple entry attempts during the testing period.
Countering social engineering attacks
Although social engineering is not a new concept, it has evolved to become more sophisticated and personalized. Social engineers have adapted their tactics to be less obvious and employ greater psychological manipulation. This makes it harder to detect and prevent such attacks, as infiltrators exploit our inherent trust and emotions.
Remaining vigilant, staying informed about evolving techniques, educating employees on the risks of both physical and digital social engineering attacks, and regularly reassessing and reinforcing security protocols will help organizations protect against social engineering attacks.
Penetration tests are an important part of any comprehensive security strategy. Connect with Pinkerton’s Investigations team to learn more about pen testing and how it can help your organization. Know your risk. Be safe.
*Digital social engineering tactics are often employed in digital or cyber social engineering attacks and often as precursors to a larger-scale cyberattack. Here are some common digital tactics:
- Spear phishing: This involves targeting specific individuals with the aim of duping them into divulging confidential information. Perpetrators send counterfeit messages, through mostly email, messaging, or texts, that appear to come from a trusted source to a specific individual or department within an organization, with the aim of gaining unauthorized access to sensitive information or systems.
- Vishing: Similar to spear phishing, this method employs voice communication, often via a telephone call, to deceive the victim into surrendering sensitive data.
- Water-holing: A strategy that entails either creating a malicious website or compromising a legitimate one, with the intention of exploiting its visitors. Visitors unknowingly download and install the malware, providing the attacker with access to their network and data.
- Baiting: Perpetrators will strategically leave a malware-infected physical device, like a USB flash drive, in a place where it's likely to be found. The bait, often labeled with enticing tags, lures the victim into using the device, which when plugged into a computer or a network, releases the malware and compromises the system.
