Visitors – you just can’t trust them

Keeping your server in your office keeps your data safe, right? Just make sure the firewall is working and you’re golden. Because if it’s inside your physical perimeter, it’s protected, isn’t it?

Well…

It depends on your visitor policies. Your what? All that boring stuff to do with signing people in, showing them to meeting rooms and bringing them coffee. You know, the drudgery you leave to the receptionist, because it’s beneath you.

I’ll tell you what, though – if I’m trying to penetrate your systems, nothing is beneath me. [Extra points for spotting the movie reference]. Here’s some things I look for if I can get inside your building and have even a minute to myself unsupervised:

  1. A network port in a floor box – I can leave a small device plugged in here that will scan your network for vulnerabilities, catalogue everything it sees and give me a gateway back in from the outside. How often do you look in the floor boxes in your meeting rooms? Have you enabled port security on your network? [Clue: if you don’t know what that means, you haven’t done it].
  2. A USB port on an unattended PC – I can plug in a keylogger that records everything you type in, including passwords, or a weaponised USB stick that tries to compromise the PC (and the network). Do you monitor USB ports? Have you disabled them by default? Even then, the latest generation of compromise devices masquerade as keyboards, so they’re much harder to stop.
  3. Usernames displayed on PC lock screens. Now I know your internal domain name and how you construct your username. Makes it much easier to socially-engineer your staff – “Hi, is that Bob? This is Joe from IT. Can I just check that your username is ACME-backslash-BOBSMITH? Great. OK, I need to do some work on your PC today – please let me have your password and let me know a good time to log in and I’ll get it done while you’re at lunch to save you the inconvenience.” Works more often than you’d like to think.
  4. Stuff just left lying around – passwords on Post-Its, of course, but also USB sticks, confidential printed documents, portable hard drives. I can make good use of the things other folk leave behind. [Extra points, again].
  5. CCTV cameras – you’d think they’d worry me. But in fact they’re often a great way in. Their in-built security is usually terrible, you’ve probably left them open to the internet so you can check on the camera feed when you’re out of the office, and no-one looks at the recordings unless there’s been a break-in. If I can get a chance to have a good look at the sticker on the back with useful technical information like the model number and MAC address, all the better.
  6. Same thing for firewalls, routers and WiFi points– if they’re in open view I’ll know which model they are, and I can look up their vulnerabilities later. They might also have default WiFi keys printed on them, or a WPS button (which means I can just press it and connect to your network).
  7. WiFi-enabled printers – half the time people never bother to finish setting up the WiFi connection on a printer that also connects conventionally. So I do the setup instead, to suit me and give me a route to the network (and to monitor your printing activity, harvest usernames, potentially even send faxes that apparently come from you, depending on the printer and what it’s plugged in to).

I could go on. But you get the idea. Hot tips:

  • Don’t let anyone in without confirming their identity – whoever they say they are.
  • Treat all visitors without a confirmed appointment as suspicious.
  • Never leave a visitor unsupervised or let them walk around unescorted.
  • Have a badge policy and enforce it.
  • Assume that people are trying to compromise your network from the inside as well as the outside. Remember – the bad hat might be working for you.
  • Keep an eye on security vulnerabilities, or pay someone to do it for you. Here’s a recent one that allows me to take complete control of any Intel server with nothing but a network port somewhere on the same LAN.

Quick – go check who’s in your meeting rooms right now, and what they’re up to…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s