'Kramer' Is In The Building

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/blog/archives/2009/05/post_1.html

By Steve Stasiukonis
Hacked Off
Dark Reading
May 15, 2009

My firm, Secure Network Technologies, was recently hired by a large 
healthcare provider to perform a security assessment. As part of the 
job, my partner, Bob Clary, posed as an employee, similar to the 
"Seinfeld" episode in which Kramer shows up and works at a company where 
he was never actually hired.

The job included both an internal and external network examination. The 
company had a significant number of internal systems, so being on the 
inside to perform the needed scanning helped considerably.

The client also had moved into a new building and requested we test its 
physical security and social-engineer our way into the building to 
connect to the network. By leveraging the ability to be on the inside of 
the network, our vulnerability scanning and testing of its network 
security would be considerably more efficient.

So Bob entered the building as if he were just another employee. Unlike 
other social-engineering efforts that require disguises, following the 
company dress code of business casual seemed appropriate. Bob wore his 
favored attire of blue jeans and t-shirt, accompanied by white sneakers.

When he entered the building on day one, he walked by security and rode 
the elevator to the first available floor. Within minutes, he had 
located an empty cubicle, connected his laptop, and started scanning the 
network. On day two, he entered the building and successfully 
commandeered another floor and cubicle. Within the next few days, Bob 
was reserving conference rooms -- and in some cases, asking occupants to 
leave when they overstayed their reserved time.

[...]


--
LayerOne 2009, Information Security for the discerning professional. 
May 23-24 2009 @ The Anaheim Marriott in Anaheim, California 
Visit http://layerone.info for more information