Red Teaming: How I can gain access to your building
Welcome to the first of our ‘Breakfast Series’ by cyber security expert Abdul Ikbal.
These posts are designed as short snappy reads whilst enjoying your bowl of captain crunch, or during your much loved morning commute #sarcasm, without nodding off or closing the tab on your browser.
A bit about me. I’m Abs, one of PR’s Managing Consultants. An unconventional leader (trying to be anyway) who loves banter, positive energy and giving excellent service. I try my best to keep the team at PR happy whilst exceeding client expectations. A techy with social skills who laughs at his own jokes.
I’m also part of PR’s Red Team which involves assuming the role of an attacker and entering business premises. Here are some insider tips on how it’s done, using non-intrusive means.
Want to check how good your organisation’s security is? Click here.
Red Team Goal: Zero to Hero
Zero being your company’s name and address – hero being me sitting on a chair in your office hacking your internal assets. During my years of breaking into buildings, this is what I’ve learned.
Confidence gives you access to mostly anywhere
I have a 100% success rate, so I probably know a thing or two, right?
Let’s make one thing clear; during a Red Team engagement, it’s all about confidence. I will convince you that I have visited your office for genuine reasons and you will allow me in.
So, how do you defend against a confident attacker with malicious intent?
Ask questions, be suspicious, be paranoid – don’t just take their word for it. Request ID, call the organisation they claim to be from and ring the colleague they claim to be reporting to. If you have any doubt as to the visitor’s legitimacy, deny entry and report them.
Politeness – your ticket to business premises
Good manners and doing the right thing were instilled in us from childhood. You hold open doors for others, don’t you? Why? Because it’s the decent thing to do and you do it.
‘Tailgating’ is the reason why I’m able to walk in, close behind your colleagues, make my way to your floor, sit myself down and start hacking your network. All because no one questioned me, which leads me to some advice.
Question and challenge everything
Everything you have ever known to be true is incorrect. Okay, maybe not that bad, or is it? A discussion for another day. Back to the subject at hand. Believe it or not, I’m rarely questioned or challenged as to who I am, why I’m there and who I’m there to see. All the more reason why I’m able to get in and out of your office within minutes.
So how do you defend against this?
Again, asking questions, being paranoid – don’t just take their word for it. If there is someone who doesn’t look quite right – suspicious behaviour, hanging around doors waiting for staff to open them to follow them in – challenge them!
You may have realised that none of the above involves anything sophisticated. Sure, I can pick locks, ease open windows and more, but why would I? I’ll simply take advantage of a lack staff vigilance and use my charms to get in.
Perspective Risk provides security awareness training and more. If you would like our help or have any comments or questions, we’d be delighted to hear from you. Please click here to contact us.