Maksim Kabakou - stock.adobe.com
Sparsely staffed offices: the new post-pandemic cyber gap
With many offices still operating at limited capacity, a red teaming expert reveals how his job is getting easier, and why this is a problem
When the word cyber attack is used, many people picture a hacker hunched over a computer in a distant location, accessing networks remotely. But attacks on your networks don’t necessarily have to begin offsite. Many businesses have weaknesses in their physical security posture, making it easy for malicious actors to access vital systems from inside the office.
Since the pandemic began, many offices have been either empty or much less crowded than they were the year before. This creates ideal conditions for attackers to gain physical access to abandoned or minimally staffed locations. While the opportunities to tailgate (follow behind someone) into facilities have lessened because of low foot traffic, it is still easy to gain entry to a building.
Sparsely staffed offices also give an attacker more time to locate poorly secured or unlocked ingress points. There are a number of readily available tools that allow an attacker with minimal skills to bypass locking mechanisms. While most locations have alarm systems in place, they are often on a set schedule – something else an attacker may keep in mind. But an attacker can also knock on the front door just as easily.
Knock knock
In the middle of the pandemic, I was onsite at the offices of a retail chain, performing the physical security review portion of a social engineering job. I posed as a fire extinguisher inspector. I looked the part, with steel-toe boots, blue jeans, a clipboard, and a work shirt I had had custom-made that matched their vendor.
The location I visited would typically have close to 100 people during the workday, but because of the pandemic, they adopted a work-from-home policy and there were probably only five people there when I visited. I rang the bell at the front door several times before an employee just popped the door open.
I didn’t even have the chance to give him my cover story before he went back to his desk, located near the rear of the office. He was more irritated that his work was interrupted than he was concerned about verifying a vendor he let into the building. Sometimes it is just that easy!
Once inside…
Once an attacker has access to a location, there are plenty of options. They could do something as simple as steal equipment which may have sensitive information on it, or do something more malicious that could allow persistent access to the network.
For persistent access, they could locate a live network jack and connect a device that calls back to an attacker-controlled IP. The attacker could then use this as their foothold within the network. An attacker could also connect a wireless device to the network and as long as they were within a reasonable distance, they could just connect over the Wi-Fi.
These are just two examples of devices being used, but there are numerous other methods. An attacker could just clear the password for the local administrator if workstation hard drives are not encrypted. The attacker would then just log in to the host to begin an attack or load up a beacon that would connect back to their command and control (C2) server.
This may sound unrealistic, but on some of the engagements I have been on, entire floors were devoid of employees and I was able to work at a relatively calm pace. Before the pandemic, I was typically rushed and would have to locate an empty workspace before I could begin.
Due to social distancing recommendations, you are typically given a wide berth with what few people are at a location. This also gives an attacker more time to rummage through desks to find sensitive information, such as passwords or personally identifiable information (PII).
What can you do to keep your physical location secure, even if you’re not there?
Physical security reviews
While many companies have recovered from the difficult task of enabling a remote workforce within such a short timeframe, now begins the task to plug any security gaps that were uncovered during the pandemic. I highly recommend having a physical security review conducted.
While you may think you know what gaps there are, another pair of eyes may be able to pinpoint additional weaknesses. The findings in a report from an outside expert help validate current concerns and aid requests to have these shortcomings addressed.
More employee education
Employees may already be familiar with social engineering through training about phishing. Employees typically are not as familiar with social engineers that may show up physically at the location. People are helpful by nature and will continue to be a weak link within an organisation, so it is imperative that regular security awareness training covers a wide range of topics, including remote and onsite risks.
Multi-layer network protection
Protecting the network requires several layers to ensure nothing slips through. Network access control should be in place to identify and alert when a new media access control (MAC) address is detected. Although MAC addresses can be spoofed, this would catch some malicious devices. Regular sweeps should also be done to locate rogue wireless access points. Even though wireless access points can be set to not broadcast their service set identifiers (SSIDs), it is still possible to catch their transmissions if you are listening with the correct tools.
Rogue devices such as USB devices are more difficult to catch because they will often masquerade as an innocuous device, such as a keyboard. Thorough logging of USB devices can help detect these devices. The actions taken by these devices could also be caught by endpoint protection. Thankfully for defenders, endpoint protection has become better at catching malicious actions, but motivated attackers will usually find a way to bypass it.
And to safeguard hard drives, encryption is highly recommended. If a computer is stolen, it is unlikely for an attacker to be able to recover any information from the system. This also prevents an attacker from simply clearing the password for a local administrator account in order to log into the system.
While the above is just a handful of scenarios that could play out, it is important to remember that security is about defence in depth. Small steps to increase your security posture will pay off over time and help prevent your organisation from being the subject of the next news article about a breach.
Kyle Gaertner is manager of security and compliance operations at Digital Defense, a HelpSystems company and leader in vulnerability management and threat assessment solutions. Follow him on LinkedIn.