There is an interesting article on Social Engineering called 5 Security Holes at the Office by Joan Goodchild featuring information on how they "poked around a secure building with social engineering expert Chris Nickerson and found several ways a criminal could get inside and access sensitive data."
Chris Nickerson is the founder of Lares, a security consultancy based in Colorado, that specializes in assessing risk in real environments, by identifying key vulnerabilities in building security. They are hired to break into buildings and find out where the security gaps lie.
The article narrated how they spent an afternoon in a building chosen at random to "find ways a con artist might be able to get inside the facility and pretend to be an employee where potential to steal data, hack a network, or commit some other crime is high". Nickerson advised that "most offices, even the most secure, have holes".
And this is what Social Engineering expert Chris Nickerson reveals about what criminals are looking for when it comes vulnerabilities in building security.
Vulnerabilities In Building Security
Even if a building has a secured entrance that requires identification to get inside, it could still be vulnerable if it isn’t secured by external camera coverage. Nickerson cautions, "I could be a lurker-stalker guy and hang out in woods, (or, here in SoCal, in a secluded parking area, or walkway between buildings), beat someone's badge out of them or steal something," he said.
The next place for a security risk is if the generator on the property is not caged or protected externally in any way. In the article, Nickerson was able to get into the generator and "open it with ease because it was unlocked."
Goodchild wrote "In addition to the obvious gap this leaves in a building's business continuity/disaster recovery plan, Nickerson also pointed out how the generator can be used in a social engineering scam."
Nickerson adds "It is pretty obvious, now that we see a generator, that there is a data center inside. It's pretty easy to deduce that they have things that have to stay running," he said. "So if we cut the power here, you'll have full corporate denial of service. Everybody freaks out and then he (a con artist) walks in while everybody is freaking out and steals things."
Next, they checked the back entrance where Nickerson quickly spotted a smoking section. Nickerson points out, "A common tactic for entering a secured building unseen is to hang out in the smoking area and wait to be let in by an unsuspecting employee." "A social engineers best friend is a cigarette," said Nickerson. Employee education on not holding doors open for others, is yours.
Nickerson said opening unlocked cars is also another common social engineering strategy. He said, "People always leave their cars unlocked and there are always badges and other stuff in there. It's a good place to get in and get all the credentials you need."
Nickerson pointed out, the facility's trash compactor brings the sensitive information outside and more directly into the hands of a thief. "Because they are compactors, it usually means they hold five times the amount of sensitive and bad stuff because they take forever to get emptied, and a savvy criminal could rent a vehicle that looks like a legitimate business van or car, such as a generic white van, park next to the compactor, and "shovel it in," he said.
"Some even go as far as to make a decal with a business logo that can be affixed to the side of the vehicle so no one will question why the compactor is being emptied." A malicious person can "look at the facility and get an idea of what some of the outs are: the sprinkler and lawn care service, the trash service, the internal cleaning services."
So, in conclusion what we are seeing here is that good access control systems with the addition of video cameras that focus on all possible entry areas, even those not used by the general public, and those not used as main employee entrances, are a must for maximum protection.
Further, card key systems with cards or fob that can be stolen, might open you up to possible theft, so pins with keypads or biometric entry devices using fingerprints might be a more secure option to consider as an upgrade.