I found an interesting article on Motherboard from a Pentester named Sophie Daniel. She did more than your standard online cybersecurity Penetration Testers do; she gained unrestricted physical access to a secure facility. Here’s the general process of the attack:
Acquired Business Information
- Solicited business Information through website data, aerial/satellite photographs, and maps.
Acquired Personnel Information
- Identified and indexed personnel who work there through LinkedIn associations.
- Obtained individual personnel social knowledge through Facebook posts.
Planned Entry
- Spoofed phone number to make it look like it was coming from the company’s headquarters.
- Setup an appointment reception for an approved “vendor”.
Gained Entry
- Showed up for the “appointment”.
- Explained away the lack of valid credentials with social media knowledge and exploiting people’s desire to be helpful..
- Gained escorted access within the building.
Performed Mission
- Lingered and stalled until escorts went back to their normal work.
- Now “trusted” and unescorted, accessed various locked offices with lockpick tools.
Sophie’s article can be found here: https://motherboard.vice.com/en_us/article/qv34zb/how-i-socially-engineer-myself-into-high-security-facilities
I cannot stress enough the need for strong physical access controls. Every company should at least have a written policy, complete with points of escalation. Periodically, you should hire someone to test your access controls. You can contact Sophie at Sincerely Security here: https://www.sinsec.net/