How often do you hold the door open for someone while walking around your office or building? Do you ever challenge people with no ID showing? If not, why not?
I’ll often challenge people with no ID walking through the doors in our building – sometimes to the frustration of the person I’m addressing. No matter how senior they look they should be challenged. I sometimes find people think themselves too important or too busy to wear their ID, but this is no reason to not challenge them. They could be tailgating. Tailgating is a technique used by social engineers to gain access to areas they don’t have authority to access. The person may even engage you in conversation while approaching the doors in order to build up a level of familiarity. Of course, they know you’ll be too polite to then ask them to show you their ID after they’ve engaged with you.
Once through secure door it’s very unlikely they’ll be challenged by anyone as they wander freely around the building. All too often you’ll find people don’t want to make a scene, cause offence or they assume it’s someone else’s problem. Apart from the obvious risk to people and possessions within a secured area there is a major risk in terms of IT. All a social engineer needs to do is find an empty office or unattended reception desk with a computer on the desk and within seconds they’ve opened a door into your organisation. They could then attach devices to the unattended computer which can collect information from the computer user, the keystrokes they press or information about the wider network. It may also be possible to attach devices that give them open access to the network from a location outside the building, whenever they wish.
How often do you look at the back of your PC or laptop docking station?
For example, if you noticed this device plugged into the back of your PC or even worse in your server room, would you think anything of it? Most wouldn’t. Most would probably assume it was supposed to be there.
People are more often than not the weak point in any organisation. Social engineers know this and are very good at exploiting this vulnerability. Don’t be the weak point. Challenge unknown visitors.
Alex Cole – Cyber Security Technician