“When holding a lighter becomes holding a door, how does your Employee OnBoarding training hold up to Cyber Security and Counter Social Engineering?” by bits&digits
“Pero, what did it FEEEEL like, entiendes?”
Her pronunciation of the word “feel” resonated as if her very catrhachan soul was being spun in the deepest whirlwinds. She marveled at the sound of what the feeling MDMA gives you when you are dancing the Central American rendition of a “dirty dance.” My Spanish was ok at the time, but this wasn’t the play. Inundating the crowd with barrels of ego is not playing the pauses. There was too much at stake on this. I wanted the crowd, or at least the 3 remaining on this devil’s porch, gazebo where we stood, to “FEEL” me.
“Eso, no se,” with the most eloquent pause I could apply. As I stared deeply into her eyes, I could see the glare of her boyfriend’s eye piercing through my back in HD. . . “Es RIIIIICOOO,” expanding the word “RICO” to match her passionate inquiry of my supposed first experience with the designer drug Molly in a hole-in-the-wall bar downtown Tegucigalpa, Honduras. Almost all a lie, but of course, she didn’t know it. She thought she just met one of the coolest brothers on the planet, or in Kentucky at least.
The brother behind me, however, probably did not share the same sentiment. If one were to wait too long, they would assume I was flirting with her. Matching the synchronicity of her laugh with the depth of mine. (There are no tricks to fake laughs that I know about, just laughing with sincerity works.) Only loosing eye contact to take a casual glance at my phone. Well, that’s a lie too. It wasn’t my phone.
The Set Up:
Only 30 minutes prior to this moment, I traded my corporate phone with a fellow Internal Auditor’s personal cell phone. You see, he tried his best as stripping me of any credential, badge, or likeness of my employment with HealthCorps. As I said, the stakes were very high. There were testosterone laden egos involved here.
No one would believe that this smooth talking black man was in the US Armed Services. And even further, there was no way on Planet Hollywood that I actually did half of the things I said. But I did so with some of the most interesting agencies of our wonderful country, the US of A. Not that I had to prove myself, but, I wanted to show that no base was impenetrable. And this little Sensitive Medical Record Processing station that had “Top Flight Security” was birdseed to a Tomahawk when it came to me getting inside. Trying my best not to trade confidence for ego, I made the call on the ride to the facility.
“You guys want to see what Penetration Testing is REALLY about?” All three of my then colleagues looked back at me in the van with a weary glance. Almost to say, “Here he goes again about how the World needs to change its understanding of Cyber Security and the Cyber War.” Seriously, I could see the distain oozing like sweat from their pores. But only this time, the taunt came with a wonderful present: a demonstration.
“No script, No prep, take my card, pull it, and place it on wall of shame if I fail.” It was an offer even the VP couldn’t let up as he responded first.
“So, Mr. Tate. Are you saying you think you can get into the Data Center without a badge, with just your laptop and cell phone?”
I replied without looking at him once, intentionally. “No Mr. Burn, that would be too much. You give me a laptop and a cell phone; I can get into the most sensitive SCIFs of the DPRK.” I chuckled knowing that comment would be interpreted as far fetched and even too much sarcasm to have any hint of truth. Plus, it was a taunt; I really wanted to do it. Being bored out of my skull, I wanted to KNOW that I still had it.
“Just give me YOUR personal cell phone. Take my wallet, take my badge, and drop me about a 1/4 mile from the facility. And here is my word.” Again the pause, I needed to set this up to make it too delicious for him not to turn down, “I bet you gents first round and bragging rights that I will be in the meeting room, sitting with a pencil and pad, and A COMPUTER before you even enter the building. Being that it’s so ‘SECURE’ and all.”
Had we been 10 years younger, there would have been an echoing “OOOOHHHHHH!” But instead, there was nothing but a concert of cricket chirping silence. He paused, then said in his semi-authoritarian tone, “You know what, this is the day. Yes, sir, this is the day. I want to see this happen. I’ve been here 15 years. You have no idea how big the foot you have just put in your mouth actually is.”
As with all things in life, I betted not only on my acumen, but on the inefficient and unfederated cyber security training within the organization. Even more than I did the technological inadequacies. You see, exploiting the social domain in cyber security was somewhat of a knack of mine. At this juncture in my life, I already worked for, operated under, and learned from the best in the game. We can start with Army Research Laboratories, Computer Network Operations and Defense Unit, which is spent countless hours doing JUST THIS. The other agencies and their cyber escapades will remain precious for another memoir.
Understanding that people simply do not place enough time and effort into Employee OnBoarding training with regard to Cyber Security and Counter Social Engineering gave me an edge. Being that I had only been hired a month prior, I knew first hand that the 10 minutes of cyber security training they offered us at on boarding was jovial: barely even touching on Social Engineering, Phishing, BYOD, or just basic OPSEC procedures for employees to follow. But what really bothered me was at the time of my employment, HIPAA HiTech had been enacted. I know, because it’s what I spent my time doing: understanding the law, the regulatory guidelines for whom I contracted with, or for whom I advised.
So, yes, the bet definitely laid in my favor. I was ready to show this group a “Test To Perform” (auditor speak) goes deeper than a control script written in a book…. YOU HAVE TO FEEEEEEL the exploitation to protect against it. Exercise more than what a regulation states. You have to see it from the angle of exploitation. This is what real policies were made of. The exploitation of a control that was subpar, or proved not to be effective. Both to the insurance agencies that wrote the policy for you, or your organizations overall privacy grid.
I digress, back to the task at hand, having spent 15 minutes assessing valid entry points into the building with just my eyes, a clean shave, and my secret weapon: my trusty pack of cigarettes at the time. No lighter. No matches. Very important as the best plays (if we are to use that term) are the ones that are believable. Not having a lighter makes you so much less of a liar when you are asking a subject for one on the smoking hole of a company like this. And why lie? (Ok, don’t answer that.)
By the time I met this group, I had high tailed it down the dry grass opening to cut towards the building. My mind not quite racing, but more receiving. Smelling the grass, noticing the freshly cut, scanning the parking lot for people I could “work” into the building, but nothing. Not allowing one moment of negativity in my mind. I KNEW there is always a way, because my WILL was target than life itself.
Careful not to rush my pace or give off my entry and ensure that the approach to the building was not compromised by a “Top Flight Security,” I walked in the shadows of the other cars. Not in intentional direct lines, but more deliberate assured, confused “W” patterns. Enough angle to give me view of the building, but not enough to look overly suspicious. I mean for Christ’s sake, I am black in the middle of Chesterhill, Kentucky. We all looked suspicious out here. (At least that’s the thing I put in my mind at the time to remind myself to the precarious nature of my existence there.)
Then as if the Universe heard my call, I saw the Jackpot. A HUGE Brown UPS Truck was still unloading on the intake dock. It turned out to be a false award this time, I could see the sentry at the dock chopping it up with the delivery person. And I didn’t FEEL that play would work. Casually minding the cameras and the angles (both reality and the ones that I THOUGHT would be there, or minding my angles as an ole pal would say), I had already started to doubt myself when I heard in the distance a oh so familiar latin American Spanish accent
“Aye, NO PA!!!”
With a familiar laugh, I knew this was it. As the younger generation says, “Game On.” It was not simply one of my senses that gave me the confidence that this was my way in. It rode on what I saw and smelled. Five relatively relaxed employees. And what I smelled was the very familiar smell of Cigarette smoke. And guess what, I needed a light……
Then all of a sudden, I check my phone sliding my finger over the volume button illuminating the screen to help the setup.
“Hello? Oh, hey Mami. Todo tranquillo mi vida,” I said to absolutely no-one on the phone against my ear. “Si, I know I’m gonna do that after this meeting, but I have to go. I’ll talk later.” This nonsensical call went on fictitiously for 45 more seconds, but after the first 10, the mission was complete. I lost the interest of the woman on the smoke deck. And I gained an ally on the yard so to speak.
My new friend stayed being me wearing Black and White retro Jordans. His creased to the side Khakis just a little to big for him on the professional side, and a little too tight for him on the “street” side. Displaying the obvious, “I’m gonna pull this tucked in shirt straight out of my almost holding the underside of my waist pants” look. Not judging. Never. See, he was my ticket. She, the rabbit. Her job was to laugh, be engaged, cause him to get a little off his game with confidence. I would drop her. The attention, the assimilation, and all.
See, he and I had something much more in common than a Honduran Bar and fabricated inebriated experiences. His white Timex; impeccable, unscuffed shoes; and that top row of gold teeth with a penchant to pronounce with extreme elongation, all vowels that exited his mouth. See now my dear reader, he was my ticket in. But neither he, nor she knew that at the time. I turned to them both now in unison with disbelief. My girl dropped me off a few moments back, and there’s a wreck. She called to make sure all was good, because I left my badge in the car.
“Nooo Homie, you serious bro?”
“Yeah, my luck, the meeting starts in 5 minutes, and she’s about 15 min out,”……I need not say more about the rest of this story. I assure you from that point on there was no ambiguity about my acumen. When the entire team, including the Physical Security Officer for that site, walked into the 2 mantrap and being a keypad door and saw me sipping half a cup of coffee, I could hear their jaws unhinging. (Yes, I only filled it up half way to give the impression I’d been there a while.)
To this day, I will never forget how much drama that caused. Because, of course, there were other levels of exploits that I used by words of my mouth which allowed another one of the Physical Security Reps to let me in the office. But we are going to omit that for this report. What we want to illuminate is the importance of training your staff on what to and what not to allow into your building. Sweet spots live within in any institution; you don’t have to trust me. Call ME, and we, @bits&digits, will show you where and how they are exploited.
But with that said, the only true method of fixing the social engineering vulnerability in your institution is by continuous, realistic training, obviously multiple layers of Access Control, and complimenting technical and administrative controls that further reduce the exploitation vector.
It’s been real, mash potato smooth.
Trust, But Verify.
*Some of the names and identities contained in this report have been changed to protect the innocent. Other than that, know that just about every regulatory compliance guidance from HIPAA, SOX, and GLBA to PCI and GDPR requires Continuous Relevant Cyber Security Training.