EH-Net

A friend of mine got a question form a CISSP that :
A person enters an organization pretending to be an electrician and gets access to the Data Center and completes his work . In the whole procedure he does not talk to a single person .

What kind of Flaws are there in this case . He meant that is there Physical Security involved or not and is there Social Engg. involved or not .

My answer to the question was that only Physical Security is the problem , the person was not involved in Social Engg. because Social Engg. means that you interact with a human being , and in the case that person went straight to the data center , but my friend was saying that there is social engg. involved since he disguised himself . 


What you guys say ?

I'd call it both. If the attacker entered the building dressed as a maintenance worker and got into the data center unchallenged, that would be the social engineering bit. If they managed to do this without talking to or seeing anyone, this is a physical security issue, and it sounds like an unlikely one.

I think the example is a bit contrived though. Unless something unusual was going on in the building, or the person had a very short or concealed route into the data center, or it was in the middle of the night, etc... they would likely have run into someone. In this case, the prepared social engineering bits come into play.

COm_BOY,

I'm no SE expert by any stretch of the imagination, but; I'd agree with your friend that there was an element of SE involved. In some environments just 'looking like you belong' is enough to get the access you need. Whilst the 'electrician' in your example didn't speak to anyone when on site, I'd imagine that he may have been challenged more by the onsite staff if he just turned up as a civvy rather than appearing to be a sparky.

Be interested to hear some other thoughts on the scenario though...

RR

If the person disguised as an electrician entered the building without seeing anyone else then that would be Physical security only. If that person was seen by anyone, and most likely was, then it's a combination of social engineering and Physical security. The fact that no dialog was exchanged is irrelevant I think. If someone was manipulated into thinking they were an electrician, even by only seeing them, then this is Social Engineering.

Physical security was involved as they were able to walk in without a key, swipe card, signing in etc.
Social Engineering probably was involved as they simply walked in dressed as an electrician, making staff think they were legitimate.

Hope that helps.

Hmm, this is a tricky one in my opinion.
Clearly in this scenario there are physical security issues without a doubt, as it appears no controls existed to restrict or challenge access.

At the same time we dont have enough information to guage what happened, was a call placed to schedule an engineer visit, was the guy dressed like an electrical maintenance contractor to not arouse suspicion.

To me social engineering is manipulation of human nature and good will. The aim of the act is getting information or access granted that should not be made available to you.

I can kinda see why the fact the guy pretending to be a electrician may come across as being social engineering, but reading the scenario word for word, it doesnt seem to have any context or maniplulation.

So I would say, based on the information I have here, it was a purely physical and awareness issue.

According to US-CERT

By wearing the electrician outfit and acting like he knows what he is doing and where he is going I would contend that it was social engineering, but I can understand the counter argument since the was no explicit interaction.

BTW, what is the point of your discussion with your friend? Seems like the real issue is that the security systems in place failed.

OK, I have to chime in here. It is Social Engineering through and through. Let's break down the question from your friend (which forgive me for saying doesn't look like a verbatim quote  ;) ):


First of all, your use of the word "pretending" states everything one needs to know. The person was not a real electrician but was using it to fool humans.

Second is the issue of whether it is physical or not. Based on your quote, we don't have enough info. It only states the he, "gets access to the Data Center." He could have picked locks, tailgated, broken down the door, utilized his uniform or any number of other methods, but we simply don't know unless there is more you are leaving out.

Now onto your response:


Just because he did not talk to someone doesn't mean he didn't interact. I'm sure someone saw him as the point seems to be that he didn't have to talk becasue of the uniform. That is interaction. Someone saw him, assumed he was ok, access was attained. Eye contact, body languagem facial expressions... all forms on interaction without using words at all.

If this is someone who is not yet a CISSP and is prepping for the exam, the answer will be SE all the way. If truly already a CISSP (as you state below), I'd be interested in the reason for the question and what expertise your friend may have to make the CISSP go to him. Just curious.

My $.02.

Don