Dressed like your typical IT professional, I walked the hallways of the hospital carrying a laptop, looking for a target. I found a maintenance technician repairing a section of the floor and approached him, saying, “Hi there, I’m Mike from IT, and I’m trying to fix the network. I left my badge downstairs, and I really don’t want to walk back there. Is there any chance you could let me into this network closet?” I nodded my head at the marked door next to us and gave him the weariest look I could muster.
“Sure, buddy, no problem,” he replied. He stood up, walked over to the door and swiped his ID card, letting me into the network closet. Once I was in, I quickly attached a small device to the network switch that opened a reverse connection, giving my entire team remote access to the hospital’s internal network. From there, I exploited common vulnerabilities, such as weak passwords, to move laterally across the network. Using credential theft techniques, I was able to elevate our access to gain complete administrative control over the environment. After just a couple of hours, the game was over. I had won again.
Now, let me explain myself. I’m not a criminal — I’m a penetration tester with CDW’s Amplified™ Security Services team, and organizations around the country hire me to perform tests just like this one. I work to help business and technology leaders understand the risks facing their organizations and develop strategies to better secure their networks, systems and people from attack.
A Common Vulnerability
It was no coincidence that I chose a busy maintenance technician for my attack. I knew that he had his hands full and would be anxious to get rid of me and get back to work. I also knew that it was very likely his badge would open any door in the building. He thought he was helping out a colleague when, in reality, he opened his hospital to what could have been a devastating cyberattack.
Later that week, hospital leaders were interested to know how I was able to obtain network access. I explained the actions I performed and provided them with CDW’s recommendations to better secure the hospital against similar social engineering attacks in the future. We talked about educating all employees about social engineering and empowering them to question anyone suspicious whom they encounter, as well as understanding policies and procedures in the event of such incidents. We also discussed restricting access to sensitive facilities and performing better monitoring. The hospital’s leaders were shocked at how easily I had gained access, and they quickly moved to implement our recommendations.
This situation isn’t at all unique. I’ve used the same pair of khakis to gain access to businesses across industries: water treatment plants, meat packing factories and even restricted government agencies. No matter what your line of business, chances are that the helpfulness of your employees can leave you vulnerable to attack.
I strongly encourage every organization to conduct regular penetration tests and security assessments to examine their technical and physical security controls. Using the services of a team like mine can help you gain an external perspective on your risks and develop a plan to better defend yourself against a real attacker.