We talk a lot about technical controls but a recent engagement reminded me that physical controls are just as important and, if the physical controls fail or aren’t implemented, technical controls generally fall easily (if an attacker has physical access to an asset, most bets are off).
The engagement was a penetration test and the objective was to determine the risk of an attacker gaining access to the client’s sensitive data. The client’s website, network perimeter and physical perimeter were all in scope (but social engineering was not) and we had a one week window.
For this engagement we took an ‘outside in’ approach, moving from the website to the network perimeter and then on to the physical building. The idea was that we were more likely to find a foothold in either the website or the network perimeter than the physical building (which had cameras, locks, alarms, etc.). The website was a fully patched WordPress site with minimal plugins (also all up to date) that was well monitored and maintained. The client had 5 usable IP addresses at their perimeter but the only thing exposed was an SSL VPN portal on their firewall that was also well maintained. We tried but, considering our operating window, quickly determined that there was no road to success here.
After striking out on the website and network perimeter and with social engineering off the table, we weren’t optimistic at this point about getting in based on our initial recon of the facility. We were three (of five) days into the engagement at this point though and were looking for a Hail Mary. We decided to go into the building to look around again and test to see if we were challenged and, if so, how and by whom. We spent about 20 minutes walking aimlessly around the office, wiggling door knobs and peeking in closets and, although we were spotted a couple of times by a couple of different people (all of whom were very pleasant), we were never challenged. We also noticed that there were no actual wires going to most of the cameras. We set a lookout in an adjacent parking lot, just in case, and there found our way in. The back of the building had a narrow roadway that was used primarily for garbage pickup and there was a non-descript steel double-door to the back of the office. There was a thick row of trees between the roadway and the next set of buildings, obscuring the view of the back of the building (unless you were parked, all stalker-like, in the adjacent parking lot starting at the building). We saw one of the employees take a smoke break and, when she went back in, the door did not close completely. We watched a bit longer and about an hour later, she returned and after her break the door again failed to close. We decided to wait until after our smoke break friend had just finished a break, give 5 minutes for her to get back to whatever she did and then try the back door. Just inside the unlocked door, we saw shelves of banker boxes with hard copies of the data and a rack with network equipment (ISP equipment, firewall, switches), we had hit gold. We were able to get pictures of the bankers boxes and were able to connect a drop box to the network that gave us our foothold. In the day and a half that we had left with the dropbox, we were able to discover that the client used unencrypted email to send and receive sensitive information (we were able to capture the email usernames, passwords and content) and that several used the same username and password combinations for their VPN accounts that they used for the unencrypted email accounts.
This was a client that believed that they were doing all of the right things and, from a technical perspective, they were right on most counts. The network had the typical ‘hard outer shell’ but also had the ‘soft squishy inside’ with the use of unencrypted email and easy access to the equipment (though, the smoker not checking the door behind her really wasn’t the IT department’s fault). The foothold that we were able to leverage to get the keys to the kingdom was the chronically unlocked door. From there, we had immediate access to boxes and boxes of sensitive data and the network backbone (inside the firewall). We were able to get a dropbox on the network undetected and, with that, easily siphon off additional data (we just got usernames and passwords but were able to confirm that exfiltrating additional data would be trivial). The client has since added an alarm sensor to the back door and adjusted the mechanism to make certain that it closes. The backbone equipment was moved to a room with a locking door and cameras have also been added to cover each side of the building and the equipment room. Lastly, the employees have been empowered to question strangers wandering around the halls and incentivized (they’re recognized at the company’s quarterly meetings for helping to ‘secure the ship’) to help make certain that such a breach can’t happen in the future.