Social Engineering Coup de Gras

Posted by Keith McMillan

February 18, 2008 | 1 Comment

I did a security audit a few years ago for a healthcare provider’s IT department. One of the things I pointed out was that while I was asked when I signed in to their facilities for my name and car license plate, nobody asked for picture ID. Additionally, I noted that on several occasions when entering the building, the receptionist had a sign on the desk: “if you need assistance, pick up the phone and dial x…”. When I asked, I was told this person was part-time. Clearly, these folks didn’t feel they needed very good physical security.

You’d think on the other hand, that the federal government, in particular people like the Treasury and the Nuclear Regulatory commission would be more sensitive to the needs of physical security, which is why this article in the Washington City Paper is such an amazing story. This 19 year old mother of two bluffed and blustered her way into very secure facilities doing little more then acting like she belonged there.

Witnesses who later realized they’d seen the thief said she passed muster at the time. The fact that she didn’t have an escort, one secretary reasoned, proved that she belonged in the building. Another employee described the potential suspect as dressing and acting like a typical secretary at the NRC. Those who stopped and questioned her gave up on their suspicions as soon as she started talking.

Her excuses were flimsy inventions. But people don’t like confrontations. They feel they’ve done enough if they ask a question and get an answer.

When I first started out from college, I held a job at a defense contractor, and we were very specifically told that if we found people wandering around who we didn’t recognize, that we should challenge them. We were also told what to do in the event we didn’t get answers that were satisfactory: walk the person to security. I had an occasion once where I encountered a group of visitors in a secured area, and they were without an escort. I knew that one of the VPs had visitors in, so I very cordially asked them whom they were visiting, and escorted them to the VPs office, remarking when I arrived that I had found them without an escort. I didn’t stay long enough to find out if the VP was at all interested in that, or to give him my name.

I’ve seen what it takes to combat this sort of problem, and it’s really only a couple of things:

Following up on that last point, having a single person in charge of an area can be a big help as well. Psychology research shows that people look at others around them to help make a decision. They ask themselves “well, what is Bob doing? He’s not challenging the stranger, so I shouldn’t either.” Unfortunately, Bob is looking around as well, with the same question in mind.

Having a person who is in charge does two things: it means that the person in charge should not be looking at others to decide if they should challenge, and it gives others a person to whom they can address their concerns if they’re uncomfortable challenging by themselves.


RSS feed | Trackback URI

1 Comment »

Comment by Peter H Coffin
2008-02-18 19:42:33

Last point of the three bulleted is especially vital, and one that I’ve never seen properly implemented…

Name (required)
E-mail (required - never shown publicly)
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> in your comment.