In an era when cyber and physical security concerns are interlocked, it’s important that firms be open-minded to the wide range of ever evolving threats they face. These threats put sensitive data at risk as well as the safety and wellbeing of staff and clients.
In an article for Data Center Knowledge, Maria Korolov details how a penetration testing firm breached the physical security safeguards of a data center in less than a week. Interestingly, the firm posed as a pest control company.
This specific case details the realities of how easy it is to get past the best security efforts of a company through unexpected, unusual means. It can serve as a cautionary wakeup call.
Modeling a breach
Korolov details that last November, Minneapolis-based penetration testing firm NetSPI was contracted to model the breach of a company that owns colocation facilities.
The project at hand involved social engineering to physically breach one of the company’s data centers.
“This was a highly secured facility,” Dalin McClellan, senior security consultant at NetSPI, said in the article. “All the doors have retina scanners and badge readers. And there are man traps. You go through the door into a small room and wave to wait for the first door to close before you can open the second door and come in.”
McClellan had just one week to carry out the breach, and faced the added challenge that the building in question only houses two employees in addition to a sole security guard. Anyone attempting to enter the building would immediately be detected.
A typical approach would be to pose as a potential client requesting a tour of the facility. For this project, the client provided NetSPI with the employee and building background information they would normally collect on their own ahead of time, such as hours employees work, names of regular vendors, among other pieces of information.
Posing as pest control
NetSPI noticed the company uses a recognized pest control brand. A consultant NetSPI works with also used this pest control company’s services and had access to the standard email they would normally use for their services.
The fake email said the pest control company would be arriving on a Friday and that they should be ready for their arrival. They received an email the following day that said, “‘Great, sounds good.’ ”
McClellan’s team succeeded.
They did everything to create the illusion they were the pest control company — from making authentic-looking shirts to renting a truck with the company logo.
The NetSPI team showed up at the gate, showed their actual drivers’ licenses and were let through. The company employee who responded to the email showed up at the entrance, scanned the retina of the NetSPI team member posing as an exterminator and let them all through. The computers were inside cages but they let NetSPI get into ceiling tiles to look for pests where McClellan said it would have been easy to install surveillance devices like video cameras or microphones.
After they left the building, the NetSPI called the data center back claiming there was paperwork to sign.
They were let back in and given permission to access the WiFi network.
An important lesson
The crucial lesson of this modeled breach is that companies must be vigilant about how they screen vendors and guests entering their physical data centers.
While this business had clear protocols in place, they didn’t have robust ways to assess external visitors.
One example includes the client domain name McClellan’s team used for the initial email — it had one extra letter than what would typically be used by the pest control company.
Always stay vigilant to keep you, your firm, and its physical security safe.
Peter Cavicchia II 