Ideally, a penetration test gives the client confidence about their defenses. That could mean anything from staff identifying an intruder before they can gain access to a server room, to ensuring nobody gives out sensitive information to a phisher.
But in practice, expert pen testers say those defenses are rarely as effective as they should be. Instead, they say, most organizations are completely unprepared for an attacker with a rudimentary knowledge of basic social engineering techniques. The prospect of someone unauthorized so easily gaining access to secured areas doesn’t bode well for companies investing in data centers, although those efforts are expected to boost the market size for penetration testing services, according to a Polaris Market Research report.
Just walk right in—no one’s stopping you: Black Hills Information Security owner John Strand is a well-known penetration tester who’s been in the business for over two decades. He once sent his own mom to waltz past guards at a South Dakota prison.
According to Strand, one of the key issues he runs across is staff who don’t feel empowered to challenge authority—–whether that’s confirming that a request for a wire transfer really came from their boss, or allowing someone into a restricted area.
“If you look at a lot of people in authority, if somebody doesn’t respect their authority, they get completely bent out of shape, and they get mad, and ‘Don’t you know who I am?’” Strand told IT Brew.
“Unfortunately, as human beings, we aren’t really good at respectfully pushing back,” Strand said. “And unfortunately, whenever it comes to computer security and physical security, people don’t like to be challenged under any circumstances. It tends to get us very angry, especially if we have a legitimate reason to be there.”
Alethe Denis, a senior security consultant at Bishop Fox who won a Def Con Black Badge in a social engineering Capture the Flag contest, told IT Brew that bias is another tactic that allows her to slip past safeguards.
“Though I wish we lived in a world where bias did not exist, I’ve had three doctors this week ask me if I worked…or ‘You’re a housewife, right?’” Denis said. “And so it’s one of those things where I can blend in and pose as someone who either needs help, is lost, is a hot mess, is a mom who’s frazzled and just can’t find the right place to go.”
“I’m betting that most people will see that I am clearly not a threat, and not want to take the time or expend the energy to prove otherwise,” she added.
It’s not just about policy: Even when there are clear rules in place regarding things like unaccompanied visitors or lost devices and physical key cards, both pen testers said they’re often not enforced due to organizational snafus.
For example, Denis said that she often finds “pretty massive gaps” between what her clients believe policies accomplish, and how they work in practice.
“Sometimes it’s just a misunderstanding between various levels of the organization,” Denis said. “Some people believe that things are being handled one way, and that the policy is being followed. And oftentimes, that policy is being circumvented by the folks who are actually responsible for doing the day-to-day processes and transactions of that data.”
An organizational culture in which members dread interactions with their superiors, Strand told IT Brew, often creates gateways for malicious social engineers to push their way in.
“If I walk in, and I pretend to be a boss, or if I send you an email or phone call saying I am a person in management and they want funds transferred immediately, it should be okay for people to respectfully push back and say, ‘I need to have some verification; we need to double check this before we actually do that,’” Strand said.
Denis added, “Having that healthy level of suspicion is great, but it’s pretty worthless if you’re not empowering your employees to challenge those individuals.”