Social Engineering: A Story About How Breakfast Treats and Human Nature Led to Full Network Access

I sat in the parking lot watching employees walk in the corporate office.  Ready with my five dozen donuts, I waited until the perfect moment to see if I could infiltrate.  It’s like the start of a great superhero movie - except starring Kevin James and not Christian Bale.

I had been hired by the company for a physical social engineering assessment.  Only a few people (stakeholders and managers) within the company knew that this was occurring that day.  The goal was to see if I could gain entry into the building unnoticed and once in, what I could access.

I waited until a little after 8am and then stumbled to the door with my boxes of donuts.  Taking advantage of people’s kindness, one of them held the door for me with no questions asked.  My face was hidden behind the donuts.  No badge, no visitors’ pass, just donuts. 

Here I was.  I was in.  I had asked where the break room was and a kind woman pointed me down the hallway.  I thanked her as she walked off.  Alone now, I was free to wander the building.  I found the breakroom, but not before I noticed a few empty cubicles that I had to walk by to get to the breakroom.  I kept going but made a mental note of this area.  I put the donuts on the counter in the breakroom, took the lids off, and stood there, eating a donut.  I observed while people came in, grabbed some donuts, drank their coffee, and then walked back out.  I even said hi to a few of them.  Again, no questions asked.

After a few more minutes I walked out of the breakroom and made my way back those cubicles that I walked past earlier.  I found an empty one and sat down.  This particular cubicle had high walls and did not have direct visibility to the main hall that everyone walked down.  I felt like I could be there for quite a while without being seen.  Normally I would have to look under the desk and crawl around a little to find a network port, but this particular desk had it integrated into it.  I took off my backpack, grabbed my laptop and my Cat5 cable and plugged in - I’m connected.  Quickly I did an IPCONFIG to see if my laptop had grabbed an IP address, and it did.  Did a quick ping to the outside world and received a response.  I was fully connected to the internet and the internal network.

I was hired to not only infiltrate (check!), but to see what I could actually get to if I were successful.  I used Nmap to sweep the network.  The first thing I realized was that it was a flat network.  No segmentation.  My laptop was on the same network as the domain controllers, file servers, and other various systems.  Taking more time with Nmap, I was able to do a closer look and determine versions of systems, antiquated protocols and so on.  I was even able to find printers on the network.  Taking into consideration that large printer/copiers have default passwords that most organizations forget to change, I was able to log into the interface.  I found one particular printer that I was able to view the entire print queue as well as the print queue history.  I was able to view entire documents.  Lastly, I fired up a vulnerability scanning tool on my laptop and scanned the entire network for vulnerabilities.

After the scan was complete, I packed up and walked back to the breakroom.  I stood there, ate another donut, and then walked out.  Within an hour or so, I was able to successfully infiltrate the building without question and do total recon on their network.

Donut let your organization be infiltrated.

All too often this type of attack occurs at organizations across the world.  Money, resources, and priority is put into protecting the digital assets by implementing firewalls, antivirus, SIEM, and other defenses.  Many times, physical security is overlooked.  There were multiple things that happened here that shouldn’t have.

• I should not have been able to tailgate into the building. Tailgating is entering a building without scanning in by following someone else. Someone should have asked me to either swipe or at least show my badge.  Even after holding the door for me, someone pointed me directly to the breakroom knowing that I was alone.  My head was tucked behind donut boxes, but this should have been a flag. 
• As I stood in the breakroom silently, with no badge or visitor’s pass, no one asked me questions about who or why I was there.
• When I made my way to the cubicle and sat down, I was able to plug my Cat5 cable directly into their network. There was no system in place to authorize my laptop so that it could access the network. It was on within seconds.
• As I was scanning, there were no alerts tripped from heavy traffic coming from my laptop. Tools should have been in place to see this potentially malicious traffic coming from my system.
• Small things like printers should have default passwords changed. Consider any other IoT devices, especially those that may have been added during COVID-related remote work transitions.

It is extremely important to have a security culture that not only looks for anomalies like phishing emails, but also looks for other things that aren’t normal.  Wasn’t it strange that an unknown person brought 5 dozen donuts into headquarters?  Companies need to do a better job of teaching situational awareness and to look for things that aren’t right.  As the company’s firewall does a great job of keeping out malicious activity from around the world, we often have to be careful of what threats come from our own back yard.  Sometimes the internal network and facility can be just as vulnerable, if not more.

If you would like to learn more about how you can train and protect your facility by leveraging awareness training, contact us at Appalachia Technologies.  We will help you build a defense in depth strategy that will ensure that your organization is doing its due diligence.  Donut let this happen to you (yes, I went there...again).

 Mike Miller is a cybersecurity professional with 25 years of experience throughout the IT industry.  He has focused on security, specializing in the areas of Virtual Chief Information Security Officer services, Governance, Risk, and Compliance, PCI, SOC, Intrusion Detection, Penetration Testing, and Incident Response.  In 2011, Mike founded Cyber Protection Group, which was acquired by Appalachia in 2022.  Mike is passionate about mentoring and assisting aspiring cybersecurity professionals and can be found regularly sharing insight on his LinkedIn profile.  When he isn’t fighting cyber crime, Mike loves spending time with his wife and kids, often boating in the Ozarks.