A friend of mine got a question form a CISSP that :
A person enters an organization pretending to be an electrician and gets access to the Data Center and completes his work . In the whole procedure he does not talk to a single person .

What kind of Flaws are there in this case . He meant that is there Physical Security involved or not and is there Social Engg. involved or not .

My answer to the question was that only Physical Security is the problem , the person was not involved in Social Engg. because Social Engg. means that you interact with a human being , and in the case that person went straight to the data center , but my friend was saying that there is social engg. involved since he disguised himself . 


What you guys say ?

COm_BOY,

I'm no SE expert by any stretch of the imagination, but; I'd agree with your friend that there was an element of SE involved. In some environments just 'looking like you belong' is enough to get the access you need. Whilst the 'electrician' in your example didn't speak to anyone when on site, I'd imagine that he may have been challenged more by the onsite staff if he just turned up as a civvy rather than appearing to be a sparky.

Be interested to hear some other thoughts on the scenario though...

RR

Hmm, this is a tricky one in my opinion.
Clearly in this scenario there are physical security issues without a doubt, as it appears no controls existed to restrict or challenge access.

At the same time we dont have enough information to guage what happened, was a call placed to schedule an engineer visit, was the guy dressed like an electrical maintenance contractor to not arouse suspicion.

To me social engineering is manipulation of human nature and good will. The aim of the act is getting information or access granted that should not be made available to you.

I can kinda see why the fact the guy pretending to be a electrician may come across as being social engineering, but reading the scenario word for word, it doesnt seem to have any context or maniplulation.

So I would say, based on the information I have here, it was a purely physical and awareness issue.

OK, I have to chime in here. It is Social Engineering through and through. Let's break down the question from your friend (which forgive me for saying doesn't look like a verbatim quote  ):


First of all, your use of the word "pretending" states everything one needs to know. The person was not a real electrician but was using it to fool humans.

Second is the issue of whether it is physical or not. Based on your quote, we don't have enough info. It only states the he, "gets access to the Data Center." He could have picked locks, tailgated, broken down the door, utilized his uniform or any number of other methods, but we simply don't know unless there is more you are leaving out.

Now onto your response:


Just because he did not talk to someone doesn't mean he didn't interact. I'm sure someone saw him as the point seems to be that he didn't have to talk becasue of the uniform. That is interaction. Someone saw him, assumed he was ok, access was attained. Eye contact, body languagem facial expressions... all forms on interaction without using words at all.

If this is someone who is not yet a CISSP and is prepping for the exam, the answer will be SE all the way. If truly already a CISSP (as you state below), I'd be interested in the reason for the question and what expertise your friend may have to make the CISSP go to him. Just curious.

My $.02.

Don