Ever heard the phrase ‘Loose lips sink ships?’
If an attacker (or anyone else) wants to know what’s going on in an organization, all they need to do is go to lunch. Hitting the popular restaurants and cafes around the target location is a no-risk method for gathering data. If two or more coworkers are together for any length of time it’s almost inevitable that they will “talk shop.” The larger the group; the more detailed the conversation.
When I train security professionals in the ways of social engineering, one of their assignments is to go out to lunch and do nothing but listen to conversations around them and take notes. There’s usually a prize waiting for whoever brings back the juiciest story.
The next time you’re in a restaurant or coffee shop try it for yourself and see what knowledge can be gained by simply listening. Employees of the target company are usually easy to spot based on the forgotten ID card dangling from their neck or corporate shirts and jackets. This is also a fantastic opportunity to learn company lingo, internal structure and even office gossip.
Attackers also listen with devices other than their ears. Many organizations utilize RFID access systems to prevent unauthorized entry into their facilities. These access systems rely on ID cards and card readers to verify a person’s access level. Most ID cards are proximity-based. When the ID card is held up to the reader, it receives power from the reader in order to verify its contents.
Door controllers and servers then determine if the presented credentials are permitted into the secured area. Reading and reproducing the contents of the ID card can compromise some RFID access card systems. Multiple devices are available online that can read and store the contents of RFID cards within read range. Once the contents are stored, the attacker can produce a duplicate RFID card and use it to enter the building.
So, how do you defend against these threats?
First off, purchase an RFID blocking badgeholder. These devices prevent long-range reading of the card contents, but allow you to scan your badge by pinching the top of the cardholder without removing the card. Never leave your ID card unattended, especially in the car. If you’re leaving the office for lunch place your ID card in a pocket or bag. This prevents an attacker from associating you with your employer and prevents photographing of your ID card in order to produce a fictitious version.
Don’t forget about the lanyard, if it displays your company name be sure to place it in your pocket or bag as well. Also, be mindful of your conversations. Avoid discussing projects, clients, or other work-related details while in public; you never know who might be listening.
About the Author: Valerie Thomas is a Principal Information Security Consultant for Securicon LLC that specializes in social engineering and physical penetration testing. After obtaining her bachelor’s degree in Electronic Engineering, Valerie led information security assessments for the Defense Information Systems Agency (DISA) before joining private industry. Valerie is the coauthor of “Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats” with Bill Gardner. Throughout her career, Valerie has conducted penetration tests, vulnerability assessments, compliance audits, and technical security training for executives, developers, and other security professionals.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image header courtesy of ShutterStock.com.