Compliance and security standards

Ultimately, all compliance standards are designed to provide a benchmark against which to measure an organization’s information security state. The greater an organization adheres to these “best practices”; the greater their risk mitigation against various legislative infringements, even where there is no direct mention of it within those standards.

A recent example highlights the consequences of legislative breaches of this type. In April 2011, Sony Computer Entertainment Europe suffered a breach of its playstation network. Usernames, passwords, and personal data were taken during the attack. Encrypted credit card data was also taken, although no mention has been made of the strength of the encryption since.

Sony was subsequently fined £250,000 by the Information Commissioner’s Office (ICO) in January 2013. Sony had intended to appeal this decision but have more recently accepted the fine.

£250,000 may be pocket change to Sony, but it certainly isn’t to the vast majority of organizations. The financial penalties cannot possibly match the embarrassment and damage to reputation suffered due to this fiasco.

Sony is not the only organization to fall foul of the legal ramifications of poor information security, so don’t be lulled into the idea that it can’t happen to your organization.

The European Union’s proposed General Data Protection Regulation (GDPR) makes it plain that things are not going to get easier anytime soon. The idea of the GDPR is to bring coherence to Data Protection Law in Europe by providing a single authority that will deal with the legally binding decisions made against corporations, as opposed to the multitude that we have currently. Along with it comes the potential for vast financial penalties based directly upon the organization’s annual sales. For Sony, this figure is going to be orders of magnitude more than £250,000.

The GDPR still may not make it through ratification, but it is obvious that clearer laws with stricter penalties for information breaches are on the horizon.

How does social engineering help to improve the information security state and avoid litigation? Any worthwhile information assurance industry standard will make provision for the concerns that social engineering can help directly with. Common concerns and issues identified by these standards are as follows:

How do these standards address some of these elements?

Payment Cards Industry Data Security Standard

At the time of writing we are at version 3 of the PCI DSS, which as noted above, is a standard dedicated to the protection of cardholder data. If a business stores, transmits, or processes credit card information then they are subject to the PCI DSS remit.

How does social engineering testing help to ensure that businesses are adequately protecting payment card data and ensuring that they are meeting the spirit of the PCI DSS (version 1) requirements?

Requirement 9 of PCI DSS covers the restriction of physical access to cardholder data. While the testing procedures can be carried out by a PCI DSS Qualified Security Assessor (QSA), it could be argued that engaging with a social engineering consultant as a side project could provide more relevant and accurate results. As an example, it is almost always going to be the case that any visit to a particular business by a QSA will be known about by all of the technical staff. What the assessment is unlikely to address is what is happening during day-to-day operations. Granted, they may well pass the PCI assessment on that specific date but that does not mean that the organization will be protected from payment card security breaches for the remainder of the year. The QSA assessment is much like a Ministry of Transport test.¹

Even small merchants can be fined tens of thousands of dollars if they are found to be noncompliant postbreach. While compliance sets a bar for security, it is not wise to merely scrape over it and hope for the best. Consistent and proactive testing of the policies and procedures is the only way to ensure that all is being done to reduce the risk of a breach. Engaging a team of social engineers to attempt physical access on a regular basis will not only help to ensure that the security is working as advertised but can also be very useful when it comes to staff awareness and education.

Requirement 12 of PCI DSS addresses security policies and procedures, including staff training and security awareness programs. The most relevant subsection for social engineers is 12.6. Requirement 12.6 covers the development and delivery of effective staff awareness training and is covered extensively in Chapter 15.

The real benefit of including social engineering, as a part of a staff awareness training, is IMPACT! Let’s be honest, the second PowerPoint is fired up, probably 30% of the audience is lost. Unfortunately as PCI DSS tries to address the three arms of information security – technology, people, and process – having an ineffective security awareness program may meet the mandated annual awareness training, but it does not provide the most effective method of addressing the people factor. Therefore the best way to ensure that the training is “fit for purpose” is to make it relevant to the audience. If a person was to be asked if they could be duped out of sensitive information over the phone, they would not believe it possible. To them the principal is silly, does not affect them, and is therefore not relevant.

Of course, social engineers know differently. Imagine the impact of announcing to staff that an unauthorized individual gained physical access to the premises as a result of a few well-placed phone calls or that the same individual tailgated a member of staff into a secure area. Immediately the penny will start to drop. Yes these sorts of things can happen, and probably are happening all the time, but at this point there is likely to be an increase in the amount of people paying close attention to the slides, asking questions, and probably an increase in the worried looks on faces around the room. Each person is now wondering if they were responsible for allowing a tailgater into the building, or if they arranged for access over the phone.

Effective awareness training must break through the “it will never happen” mentality as quickly as possible if you want to really engage your staff and make the session more valuable. Fear and paranoia need not always be negative, they can also be catalysts for positive change when it comes to security.

Section 12.9 of PCI DSS covers the testing of incident response plans. What better way to test them than to create an incident? Better yet, the incident will be controlled, executed according to specific parameters, and can be stopped at anytime. The same cannot be said of a real incident!

It is a common practice, as in many social engineering engagements, to only have a handful of people in-the-know when it comes to these incident simulations. There is little value in telling incident responders that something is going to happen.

ISO/IEC 27000 information security series

The breadth of the ISO 27000 series of standards is vast in scope. With the increasing pressure to improve their information security practices, businesses often choose to adopt the implementation of these standards. Therefore it is almost certain that personnel will come into contact with them at some point, and increasingly so as the standards develop. In fact, after more than eight years, the latest version (ISO/IEC 27001:2013) has been released bringing it in line with modern practices and to better prepare us for the sophistication of modern attacks.

Again, the key points within ISO/IEC 27001:2005 relate to education of staff through awareness programs and the control of physical security perimeters.

The vast majority of relevant sections of ISO/IEC 27001:2005 sit within Domain 8—Human Resource Security and Domain 9—Physical and Environmental Security.

Less mission impossible, more mission improbable

One of the bigger challenges in engaging with a client is getting to the root of their security concerns and developing a realistic scope. If the client is expecting to see the social engineer stuck to the 16th floor window using nothing but a pair of plungers, then they are probably going to need some help shaping their expectations. Ideally, the client should undergo a consultation process to allow them to talk about their worst fears and scariest what-ifs. From here, a realistic threat model can be built, and from that, a realistic scope. The earlier the involvement in this process, the sooner any kinks can be ironed out that may hinder the assessment down the line. Plenty more on this topic in Chapter 6 which is entirely dedicated to threat modeling.

Dealing with unrealistic time scales

Sometimes, no matter how much a client is guided toward a realistic goal, they just don’t have the budget to perform a thorough assessment. The challenge now becomes to identify as many potential issues as possible in the short time frame allowed. It is genuinely difficult to not compromise the ability to deliver a valuable service in these instances, and sometimes it is just better to walk away and maintain integrity. A frequent occurrence is when new projects are raised with half a day assigned to test the physical security of a site. These projects are typically tick-box exercises for the client who wants to know that someone cannot just walk in off the street. Unfortunately there is very little value in them for all involved, so do try to avoid being drawn down this path. The client’s time would be far better spent by having a member of the team on-site to give half a day’s training. In that time, they could cover off some of the more common attack types, give some real world examples, and finish off with some defense strategies.

How about sitting around a laptop with the client and showing them how much information can be gathered about them in a couple of hours using common tools? Stripping metadata from documents almost always raises a few eyebrows around the room, purely because it is typically overlooked by most organizations.

This sort of approach is very likely to have a positive impact. Not only will they win their respect and trust for guiding them down a more appropriate path for the timescale, but they will be more likely to end up calling the team back to assess them properly in repeat business.

Dealing with unrealistic time frames

Frequently, social engineering teams are involved in quite a lot of tests that have quite a short turnaround time for completion. Often this is taken out of their hands for any number of reasons. Unfortunately this can result in them having to test several geographically separate sites back to back within a few days. There have been several instances where they have found that security at one site has tipped off security at the other sites, including descriptions of the social engineers that so callously violated them on the previous day. It is recommended to always try and persuade the customer to avoid back to back tests and instead spread them out over longer time frames. Where this is not possible, try to ensure that different testers and pretexts are used for each site. Don’t forget that just because the team didn’t get made on day 1, it doesn’t mean that they didn’t raise suspicions. The security team may have reviewed CCTV footage and decided they were up to no good. As a result, the security across the entire business is at DEFCON 1 and anything that is tried just isn’t going to stick.

The best compromise in these situations, with a large enough team, is to deploy all operators simultaneously. Some level of centralized coordination is going to have to take place for this to come off, but there is significantly less chance of the entire team being burnt as a result of consecutive tests. The chances of security being this coordinated across all sites are fairly slim. By the time one site has figured out what is going on, the other assessments will either be well under a way or complete.

Taking one for the team

This challenge sits squarely in the social engineers court. The fact of the matter is social engineering, one of the most exciting jobs that anyone could wish to have.

The reason for this level of excitement is quite simply that there are risks involved that also make social engineering pretty tough on the guys and girls who do it for a living.

First of all, especially in the beginning, and assuming the social engineer isn’t a crook, they will be fighting a lifetime of social conditioning. Their parents no doubt brought them up to listen to people in authority, not to trespass or steal, and not to get into trouble with the police above all else. No doubt they never specifically mentioned picking locks, impersonating people, or conning people over the phone but this provides an idea. It is these reservations and anxieties that make social engineering challenging.

During social engineering engagements, there will be incidents where members of the team are collared by security guards and police, interrogated, surrounded and in some cases tackled to the ground during the course of the task. There’ll be the need to climb, scramble, and jump in order to achieve your objective. There’ll be times when there’s a requirement to dig around in the trash on many occasions too. It is for this reason that team members have to be willing to take one or sometimes two for the team. These are the occupational hazards of this industry!

Name and shame

One of the most common topics that we discuss with the clients is the policy of not naming and shaming individuals, even though this is very frequently requested. When a client has the circumstances explained to them, they will often find that they too would have probably fallen foul of the same tricks. If an employee has not been educated in how to identify and defend against social engineering attacks, how can they be expected to prevent them? There are some instances in which it is unavoidable to indirectly identify someone. The client will have a full timeline of events, so it is not a leap to find the security guard that was on the rota that day. Always try to steer the conversation down the road of education and training, not punishment. The security guard that just got duped is far less likely to let it happen again anytime soon!

Project management

Social engineering projects present something unique from a project management point of view that most people would probably overlook. This is simply that the client shouldn’t always be told what days the team will be on-site. This will be a foreign concept to project managers whose day-to-day job is to ensure smooth delivery of services to a client and to maintain seamless communication. Instead of specifying a day (or days) for your visit, choose to give the client a window during which the breach will be attempted and that window could be weeks or even months in length. Not taking the time to explain the subtleties of social engineering engagements to the members of the team often leads to the inevitability that the cover will be blown. Always ensure that the education about social engineering takes place within the social engineer’s business as well as your clients.

Getting the right people

This could probably be categorized as being the most difficult task in the entire assessment. It is difficult enough to find good people to come and fix a boiler, so how on earth does someone start looking for people in such a niche field?

Recommendations are a good starting point. What other organizations in the industry have engaged with social engineers? A reference via word of mouth is always a good start. It would be wise to try and get some detail from the individual such as the type of assessment and how the testers conducted themselves throughout the process. The only problem with word of mouth and recommendations is that the results of a social engineering assessment are likely to be a closely guarded secret for most organizations. As a result of this, it is unlikely that the level of detail could be achieved that would provide peace of mind.

Accreditations and certifications can also lend credibility to an organization, but these are not likely to be directly related to social engineering. It is likely that they will be information security related certifications and are likely to be related to penetration testing and other technology types. A few good certifications to look out for are things such as CESG’s CHECK qualifications; team member, team leader (Infrastructure), and team leader (Web App). ISO certifications or affiliations with other information security bodies can also be a good indicator. Unfortunately as none of these are directly related to social engineering, they can help provide peace of mind that you are dealing with people who have a proven track record of dealing with highly sensitive information and scenarios.

It can also be worthwhile to speak with existing providers of security services. It is very common for penetration testing outfits to also offer social engineering, purely because there is a lot of technology and skill overlap. It is worthwhile to set up a call or meeting with one of the team members to get them to walk through some example assessments. This should provide a flavor of their level of experience, fairly easily.

Lastly, take a look around at people who have published work in the field. Maybe they have delivered talks at Industry events or released tools to support social engineering or information gathering work.

If there’s still some uncertainty at this point, it might be a good idea to engage with the chosen provider in a short assessment. A reconnaissance exercise or capture the flag can often prove insightful. When presented with social engineering, some clients have stated that they didn’t feel that social engineering was a risk to them, because their staff would never give out sensitive information. This would usually result in them being asked to carry out a small challenge, and if it was met it then maybe they would consider further work down the line. As the client, they have the prerogative to flip this and challenge the vendor to see what they are made of. Ask them to find out some key pieces of information that shouldn’t be public knowledge and see how far they get. The results might be very surprising.

The Computer Misuse Act 1990 (UK)—http://www.legislation.gov.uk/ukpga/1990/18

The Computer Misuse Act (CMA) is split into three main sections.

The Police and Justice Act 2006 (UK)—http://www.legislation.gov.uk/ukpga/2006/48/contents

The Police and Justice Act makes several important amendments to the CMA that are relevant to security testers. First of all, increased penalties were included which have already been noted in the CMA section.

It also makes the following illegal.

Regulation of Investigatory Powers Act 2000 (UK)—http://www.legislation.gov.uk/ukpga/2000/23/introduction

While Regulation of Investigatory Powers Act (RIPA) has often been covered in other materials relating to penetration testing and social engineering, it is worth noting that its scope is limited to public authorities, www.gov.uk offers some insight.

Given that this is the case, the only realistic reasons that anyone needs to be concerned about RIPA are as follows:

Further information is available at https://www.gov.uk/surveillance-and-counter-terrorism.

The Human Rights Act 1998 (UK)—http://www.legislation.gov.uk/ukpga/1998/42/contents

The Human Rights Act came into force in the UK in 2000. Its scope regarding penetration testing and social engineering is mostly related to privacy of an individual data. Article 8 is our only real area of focus.

Computer Fraud and Abuse Act—United States

The Computer Fraud and Abuse Act (CFAA) is essentially an equivalent to the CMA as previously described. There are some key differences, most notably that it applies to “protected computers” only.

Looking into US law via law.cornell.edu defines the meaning of “protected computer.”

The crimes covered under the CFAA are extensively documented at law.cornell.edu, but we will touch upon them briefly here for reference.

The maximum sentence for crimes committed that are covered by the CFAA is 20 years imprisonment. While we are at risk of repeating this, accurately defining a proper scope and understanding the work to be undertaken should ensure that the correct path is followed. Application of a level of common sense is always going to help too. Ensure that there is a signed off scope from a person in authority before accessing a computer so that the “without authorization” becomes a non-issue. The rest of the CFAA should not apply to a tester as it covers truly malicious acts, destructive, and otherwise.

To summarize the Legislative Concerns section, get a signed off scope! This chapter has covered most of the laws that could apply to this profession each of which rely heavily on the unauthorized access aspect. Ensure that the task is signed off by a person who has the authority to do so, and then the scope is stuck to religiously. It is a good idea to raise any potential risks upfront so that the client is aware of any potential for legal ramifications.

Pre-engagement interactions

This section covers all of the issues and challenges that are faced before the assessment begins.

The key points being:

We have already covered a lot of these topics in this chapter, but it is interesting just how applicable this is. Getting the scope right can also be merged to contain the goals of the assessment in many cases. Establishing the lines of communication is going to help ensure adequate protection during assessments and that the information is delivered to the right people, after all, it will often be very sensitive.

The Rules of Engagement section is also key in this line of work and could be included as a part of the scoping exercise.

Intelligence gathering

This section actually makes mention of social engineering, although it is more from the point of view of gathering intelligence to support a penetration test.

While some of the technologies and techniques may change, intelligence gathering during a social engineering engagement is probably the most significant phase, and it will build a foundation for the remainder of the test.

At this phase of a test, example exercises include gathering corporate email addresses from search engines and social networks, parsing document metadata from publicly available corporate documentation, and establishing contact details such as phone numbers for switch boards and receptions.

These topics are discussed in more detail in Chapter 8.

Threat modeling

This section covers the identification of key assets within an organization, and the impact that would result from a compromise of said assets. An asset, for the purpose of social engineering, could be a person, a system, or a piece of key data, such as credit card numbers or passwords.

Threat modeling during social engineering is more likely to be an interactive process with the client, undertaken during the scoping exercise, as already covered in the Engagement section. For the purposes of this section, Vulnerability Analysis will be collapsed under the same heading. Chapter 6 will cover effective threat modeling.

Exploitation

The exploitation phase could just as easily be called the execution phase where social engineering is concerned. It is here that all of that gathered reconnaissance information and the previously built pretexts are executed in order to meet the objectives.

The execution or exploitation of the predefined plan could come in several forms. This could involve being expected to retrieve sensitive data from a dumpster, gain physical access to a building, or determine the alarm code purely by making targeted phone calls. Everything leads up to this phase and it feeds everything following on from it. These topics will be covered throughout the book in greater detail.

Post exploitation

Post exploitation/execution covers everything that should be performed, following on from a successful exploitation. For example, a successful exploitation may have been to gain physical access to the building by tailgating. The post execution task may be to gather up sensitive information and exfiltrate without being caught or noticed. It could be that the task is to connect to the network and enumerate as much information as possible from corporate hosts. The execution and post execution phases would often be collapsed into one and other during most engagements, but it isn’t uncommon to have primary and secondary objectives.

Reporting

Reporting would cover both the written report as well as a verbal debrief with the client. These are covered briefly in this chapter but are covered in detail during Chapter 13.

The purpose of this section wasn’t to go into detail on each individual topic, as they are covered throughout the book already. The purpose was to build a framework for social engineering assessments, which could be applied to each engagement. Without digging into the detail of PTES, its concepts can be applied to build our framework, which will hopefully improve the operational efficiency and effectiveness of the social engineering projects.

For further information on frameworks, take a look at the table of contents of this book. A great deal of what has been covered can be transferred across, quite easily. The table of contents is actually a framework for social engineering in its own right.

Scoping documents

It is critical to any social engineering engagement that a scoping document has been signed off by the client, and equally important that it is validated by a social engineer long before the project kicks off.

While the scoping document will obviously need to be customized to fit the needs, here are some examples of what should be included.

Contact details

A primary and secondary contact should be agreed. The importance of this cannot be underestimated, as these are the people that are called in the event of getting caught during the physical portion of an assessment. It is vital that both contacts are available on the test days. It is recommended that the contacts are the only people aware of the assessment. The more people that are kept in the loop, the more chance there is that the assessment will fail.

If more people are included, a list of any and all people that have been made aware of the upcoming test should also be within the document. This can help avoid any embarrassing situations where attempts to extract information are made from somebody who knows that the test is being carried out.

Type of testing

It may be the case that boiler plate test types are offered, as well as more bespoke offerings as a social engineer. However, it can be a good idea to offer both. Not only will it help the supporting sales force, but it can also work as a menu, for clients, enabling them to pick or choose what they feel would benefit them as a business. That is not to say that customers shouldn’t be steered toward what would be more beneficial to them, after all, the social engineer is well experienced in this field. There will be more on this topic in Chapter 6, which deals with effective threat modeling. In any case, this section would document what is required, including any special or custom requirements. This may include specific departments or resources to target. A good example often used is to attempt to “borrow” a corporate laptop and leave the building. This kind of task should definitely result in the engineer scrambling around for that get out of jail free letter, which is covered at the end of this section.

Scope limitations

This section offers the client the ability to identify items that are totally off limits. Lock picking is a good example.

Usually there are tick boxes in this section with a list of things that are likely to do on a typical test. This makes the process a little simpler for the client, but is not a replacement for consulting with the client prior to the scope sign off.

The scoping document will contain some fairly critical information and will hopefully help keep the engineer out of trouble during the assessment. What happens if the engineer gets busted though? Engineers often find themselves surrounded by security guards on tests and ending up sat in police interview rooms for extended periods before now. These are the breaks in this game. What stops the engineer being arrested?

The answer here is “get out of jail free letters.”

Get out of jail free

Unlike monopoly, this is not a license to commit crime with impunity, merely a letter of authority in the event that the engineers are caught or challenged during an assessment. It is a letter to the challenger asking them to call the designated contact and explaining that this is part of a legitimate audit.

Usually this would include a section about treating the bearer of the letter with courtesy and respect. Unfortunately there is no guarantee that this will be followed. Again, this is just the nature of the game in some instances.

The debrief

The debrief is typically a sit-down chat with the clients to go through the results of the assessment, along with a run through any evidence or collateral you have gathered. There have been several instances where during a social engineering engagement the engineers have gained physical access to a client site, and just turned up at their office for the debrief, or called them from one of their board room phones. While this kind of thing certainly adds impact to proceedings, there certainly is a need to know the audience before trying it. The last thing needed is to cause offense or appear to be showboating.

During the debrief, it is useful to bring along any evidence that has been gathered throughout the assessment. Photographs and videos are always interesting to the client and can really emphasize the points being made. A detailed timeline of events is also crucial to the debrief. It is worth pointing out that gathering this evidence while performing the assessment can be very difficult, but certain types of technology, such as hidden cameras and microphones, can make it far easier.

There are many ways to deliver this, either with the breakout of PowerPoint slides or as an informal chat. Either way the formalities can be covered in the written report that follows.

It is essential that the awareness of the emotional state of the people being debriefed is understood. It is not uncommon for people to be shocked or even angry that they were breached and immediately start blame storming. The information has to be delivered with tact throughout the process. Avoid naming names or pointing fingers at individuals. Embarrassing or belittling people, even unintentionally, is not helpful to the process and is likely to cause resistance and resentment toward you and your findings. This is why splitting the deliverables between a debrief and a report works so well. The debrief allows the client to come to terms with what has happened, while explaining that the issues identified were procedural and not a fault of an individual, which is almost always true. By the time the written report arrives, likely a week later, things have settled down a little and the report can be looked upon in a more constructive manner.

The debrief is not just a delivery of results, it is also the responsibility as a professional to ensure that the client does not go postal during the process. The only way to do this is to educate them as to the holes within their processes and procedures and not to look at these issues as individual mistakes, which they almost always are not.

As well as going through the individual issues that were identified during testing, time should be dedicated toward addressing remediation. In the vast majority of cases, the remediation is purely educational in nature. The advice should ideally find its way into the next round of staff awareness training to ensure that significant improvements are made. The security as a lifecycle mentality works well here with constant re-education and re-testing contributing toward a far healthier posture.

It is also during the debrief that we would return anything that we had purloined during the assessment. It is not uncommon to have to remove pieces of data, records, or even equipment during testing. This obviously is only ever done with the express consent of the contact prior to the engagement and is limited to corporate property.

The report

The written report, as previously noted, will have some content overlap with the debrief, but will go into far greater detail on many fronts. It is very likely that the written report will find its way to the desks of people at all levels within an organization. This means that the report will have to cater to each of those individuals. High-level summaries for management as well as deep-dive technical information should both be covered within the report to ensure that the results gain the necessary buy-in at all levels of the business. After all, what is the point of the exercise if the results are not actioned? Exercises in futility are as frustrating for the social engineer as they are for the client, everybody needs to able to see the value in what they do!

The initial sections of the report will largely be standardized across the board and come from stock templates. These sections will include background information on the social engineers as a business and as individuals. It will include relevant qualifications and experience within the business and information about the methodology applied to the testing. Information obtained during the scoping stages and from the scoping document will also feed into these initial sections. A statement of the objectives of the testing and any limitations on the scope should be mentioned.

The way in which the report is now laid out is largely down to personal preference. The most logical way to format the report is according to the methodology that has been followed. This layout should also naturally end up showing the chronology starting with the reconnaissance/information gathering phase.

Each section should have a summary of findings, any additional detail included, and any supporting evidence such as photographs, video, or sound recordings. It should finish by offering remediation advice that can help the client address the flaw(s).

Included is an example from a reconnaissance effort during testing.

This example has clearly laid out the issues, the associated risks, and a clear path for remediation. However this stopped short of recommending individual products for the cleaning of metadata, but this could go down to that level, if appropriate, as there are plenty of tools available. It also avoided getting too technical or using too much technical jargon at this stage. Further detail on each successful attack will be available further into the report. If a phishing attack was successful, reference the metadata issue as a starting point of the attack. Then include some screenshots of the email that was crafted, along with shots of the amount of clicks that it generated within the user base, the impact of that section of the report would be greatly increased. Having visual aids within a report makes a big difference for most readers, it really highlights the proof of concept and breaks up the wall of text that the report could otherwise become.

Chapter 13 will cover written reports in detail, so we will wrap up this section with a few key points before moving on.

The generalist

The generalist is the all-purpose, do-it-all team member. They are likely to be the less experienced members of the team and have the least developed skill set and levels of experience, however you may need more experienced engineers to fill this role to make up the numbers.

The ethical hacker

The ethical hacker is your ace in the hole when you have gained physical access to the building and need to retrieve data from the network. This role will be filled by a penetration tester, preferably one who can stay calm under pressure. Gaining access to systems is a completely different ball game when there are security guards looking for the engineers, or when there is a very restrictive time window to exfiltrate.

The burner

A “burner” is a common term for a mobile phone that is used for shady business and cannot be traced to its actual owner by any means. As such, it can be disposed of without hesitation or guilt. The burner is the sacrificial lamb. It’s the team member that is sent in to carry out a high-risk exercise, accepting that there may well temporarily lose the individual when they get caught in the act. The implementation of this play is often needed because the hand has been forced, and there are no other ways to gain the required intel.

If the use of distraction techniques is employed, the burner will be stepping into the fray for this task also. Distracting a set of guards and often receptionists can really open up doors for the rest of the team!

The social engineer

The social engineer in the team is the person skilled in the art of manipulation, persuasion, and deception. Some people are lucky enough to have these skills come naturally to them. Others have picked them up throughout their careers in other roles. Sales people, for example, already apply the tricks of the trade without even realizing that it is social engineering! Listening to a sales person trying to get a receptionist or call center to pass their call through to a CTO or similar can be an eye opening experience. Regularly the sales team is asked to drop into this role and make calls as a part of our engagements.

As well as the supporting sales staff, there might be at least one dedicated social engineer on the team. It is most likely that he would spend the vast majority of his time on the phone trying to manipulate individuals into gaining entry for the generalists. Even though this is the case, never underestimate the power of face-to-face social engineering. People get calls they don’t want to deal with, or that seem suspicious all the time, but exposure to this in person is far rarer and as such can be more likely to work.

The scout

The scout is responsible for all aspects of reconnaissance in the buildup and during the course of the engagement. This can range from gathering photographic evidence of the building and its security setup to establishing patrol times for guards. The scout will scope out entry and exit points, try to establish what door control mechanism is in use, and see if there is a particular time of day that may be more suited to the engagement. For example, if the plan is to tailgate the perimeter doors, the best time to do this is when the most people turn up to work. The more footfall there is through that door, the more opportunities there are to follow without looking too suspicious. There is nothing worse than standing around looking out of place waiting for someone to follow.

The scout will perform a good deal of initial reconnaissance from the comfort of the office too. It is surprising how much useful information can be turned up on images.google.com and maps.google.com. In fact, it is common to find high-resolution pictures with ID badges in them using this technique. Google Maps can be used to scope out the physical location with a degree of accuracy, but should not be relied on exclusively. Street view is a particularly useful tool, which can help to identify entrances and exits, smoking areas, and security gates.

The scout role will often be filled by a generalist within the team. It is fair to say that the reconnaissance phases of the engagement will be contributed to by the entire team, purely because of the importance of this information.

Getting all of the information in one place and getting around a table to discuss potential vectors is always a useful exercise.

The thief

Ok, so this individual isn’t really a thief, but using more romantic notions of the master thief there can be some parallels drawn between the two character types.

This role within the team is filled by a person who is quite likely to possess skills from all of the aforementioned categories. Above and beyond this, the thief will have lock picking and physical security skills, an awareness of security systems and how to bypass or avoid them as well as the ability to go unnoticed, even when in areas that are particularly sensitive or well secured.

Nerves of steel are required for this role. Picking locks isn’t the easiest task if the hands are shaking uncontrollably.