Social Engineering Blogs

Physical Security: What You Aren’t Thinking About

Security Metrics Blog — Mon, 09 Nov 2015 17:04:00 +0000

Often it’s the little security issues we overlook that hurt us the most.

By: Brand Barney

Security cameras? Check. Guards? Check. Locked doors? Check. Privacy monitors? Umm . . .

When it comes to data security, many health organizations don’t always worry as much about the physical aspect. While many foundational security issues may have been addressed, organizations are likely to have overlooked details such as

Unlocked office doors during the day
Window blinds
Reception desks
Lack of screensavers and privacy monitors
Theft of devices/hardware
Malware in left-behind devices

People may think physical security only applies after hours. However, most data thefts occur in the middle of the day, when the staff is too busy with various assignments to look at the person walking out of the office with a server, company laptop, phone, etc.

Organizations may also think data thefts are large events that take months of planning, looking like something from those heist movies. (Oceans 11, anyone?) However, most data thieves use simpler plans.

The majority of physical data thefts take less than only minutes in planning and execution.

Tweet

Malicious entities (hackers) strike quickly, take what data they can and leave with little to no trace. In this case, data thieves take advantage of the lack of physical security in healthcare organizations. Here are some issues that your organization may not have considered.

Taking devices

The main problem offices have with devices is a nurse and a client use the same type of mobile device, such as an iPad. A thief could walk in, take an iPad off the reception desk when no one was looking, and walk out, all within five minutes.

Would you stop someone if they were walking out of your office with an iPad? Probably not, because you would assume it was theirs. But within a few potential minutes, that hacker has access to the network and whatever data or PHI is on that iPad.

This type of theft can and does happen, and sadly it’s not limited to your office, hospital, etc. Many workforce members work long hours and take devices with PHI on them home, stopping at a grocery store or a child’s school on the way home from work. Theft is quite likely if a device is left alone and unsecured in or out of the workplace, and that breach can cause quite a bit of heartburn.

Leaving devices

You don’t often think of thieves leaving something behind, but for hackers, an easy way to further the data heist is to leave behind malware.

Here’s an example: A receptionist at a large hospital notices a flash drive was left on the desk. It’s labeled “HR,” so the receptionist decides to just drop it off at the Human Resources Department. The person in HR takes it and plugs it into a computer without a second thought. But that flash drive was full of malware and now the hospital’s system is infected and likely losing data.

Be suspicious of any unfamiliar hardware or device that randomly appears.

Windows and peeping eyes

Often a thief doesn’t have to enter an office to steal information. They can look through a window and see information on the computer screens of workers. This can be remedied simply by putting up blinds in offices that have sensitive information.

Follow for more data security articles like this

Reception desks reveal more than you think

Receptions desks are filled with tidbits of information and loose PHI that cause data thieves to grin. Things like passwords written on sticky notes, computers without privacy monitors, and patient records lying out in the open are all fair game for social engineers.

Reception desks also get the most traffic, which is why they are typically the first target. Social engineers can steal a lot of information without being noticed. It’s critical to the safety of your patient’s data that your receptionists are properly trained to handle social engineers and aware of everything that’s going on.

Check-in and check-out

Keeping track of clients coming in and out may seem insignificant, but it can help discourage thieves and provide information should your data get stolen.

Having check-ins helps your staff to acknowledge and remember the clients that come in, making it harder for social engineers to slip in and out unnoticed. Make sure all clients/vendors that come into the building sign in and out when entering secure zones (like a data center, or networking areas/server areas), and always assess who really needs access to those very sensitive areas.

Unlocked doors: a social engineer’s paradise

Social engineers love an entity that doesn’t pay as much attention to physical security. It makes their jobs that much easier, and if you aren’t paying attention to these areas, what else might that attacker poke around at? A social engineer can go into a hospital, walk into an unlocked office, sit down on an unlocked computer, steal phi, and then leave all within ten minutes.

But if the office door is locked, then the social engineer usually won’t bother.

Hackers and thieves are often lazy. Why go to a lot of trouble to get past a locked door if there’s an unlocked one down the hall? By locking office doors and computers, you deter many data thieves (what’s crazy is this very basic concept translates to all areas of security).

Fighting back: it’s surprisingly easy

Most of these risks can be prevented with little effort. Here are some suggestions:

In risk analysis, look for physical security risks
Lock all office doors when not in use day and night
Require passwords to access computers and mobile devices (encrypt your data or don’t have data on devices)
Use screensavers and privacy monitors on computers
Install and use blinds in all office windows
Keep logs of who goes in and out
Keep track of devices that go in and out
Have policies in place for stolen equipment (Make sure to have a good Incident Response Plan and know your Breach Notification Policy front and back.)
Train staff against social engineering
Limit access to PHI through role-based access.
Have staff report suspicious people and devices
Make sure all reception desks protect PHI from prying eyes

Most social engineering and data thefts can be prevented by following these simple practices. If your organization is taking into account the smaller issues, a social engineer, or a thief will be less likely to bother you because it’s not worth the effort.

It’s the greatest benefit from the littlest effort.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

The post Physical Security: What You Aren’t Thinking About appeared first on Social Engineering Blogs.

A Totally Awesome DIY Security Project – Raspberry Pi Face Recognition Treasure Box

The Security Dialogue Blog — Wed, 19 Mar 2014 18:32:00 +0000

As you know, I’m currently working on a few DIY security projects to share with you guys. My favorite place to go for inspiration has been, Make. These folks do some seriously awesome DIY projects. Most of them beginner to intermediate-level DIYers can do themselves. While perusing their site, I found this gem:Raspberry Pi Face Recognition Treasure Box – MAKE

The post A Totally Awesome DIY Security Project – Raspberry Pi Face Recognition Treasure Box appeared first on Social Engineering Blogs.

If I Had To Design A Parking Lot, This Is How I’d Do It

The Security Dialogue Blog — Tue, 18 Mar 2014 17:11:00 +0000

The other day, I noticed in a discussion group someone asked about designing a parking lot access control system. This got me to thinking about why security officials are often tasked with designing and deploying these systems and why they are flawed many times. Here's the response I gave.

There is no technological answer for this. This would be dependent upon METT-TC (Mission, Enemy, Terrain, Troops—Time, Civilians). The best parking plans I've seen first started by looking at the mission of the facility.

This immediately beckons you to ask if any of the vehicles parked are or will at some point need to be mission critical. In other words, if this is a hospital, would it be prudent to have access control measures which take into account emergency vehicles? Will you have sufficient room in the lot to accomodate them and an emergency egress? I would also determine who NEEDED to be able to park in this lot. Not everyone needs to park in your lot though they may want to. This should create a decent entry authorization list wherein you can identify who will need an expedient, yet effective means of gaining access. How critical is the facility? Tech is great but sometimes having a guy at the gate is more prudent, with respect to handling visitors, LEOs/first responders without access control tags, etc.

It is also really helpful to not interfere with the mission of your facility, when designing your access control system whether for the parking lot or anywhere else. Seriously. I can't overstate this enough. DO NOT make your system so cumbersome or strict that it impedes on the mission of those who do the work that pays you and your personnel. I have seen parking plans so restrictive that mission-essential personnel have been denied access to their facilities for things such as day-old expired vehicle tags and hours-old expired vehicle passes. Make sure your plan is flexible enough to accommodate those who need access right away but need to get their credentials in order.

Be wary of making it susceptible to social engineering, though. I find the best way to mitigate this is through codification of your policies with exceptions allowed to accommodate those whose credentials may be lacking but can be verified. NEVER allow anyone access without verification. Ensure your access control system has authenticators, whether it be electronic or solely paper-based. However, ensure your authenticators are never discussed with anyone. I'd suggest making this a definitive terminable offense.

I'd also consider your threat profile. Who has an interest, as a nefarious actor, to gain entry to this lot or through this lot to your facility? How can you mitigate this, bearing in mind how they could obtain entry feasibly? Seriously. Don't plan on ninjas and SOF to make entry if that's not your threat. Plan physical measures with this in mind.

What's the size of your lot? Has your lot grown to an extent where it requires fencing? If it does, how often do your security officers check that fence? No sense in having a fence if you're not checking it. Remember fences are a demarcation AND a detection piece of your plan. Also determine if your lot is situated with any physical obstructions wherein you can't observe who may have circumvented your parking plan. Consider CCTV or even a roving patrol to help if needed. Also, I find that if you use stickers, a few things tend to happen. One, people tend to park illegally and need to be towed. This takes up precious time and resources. And it could create confusion depending on how "creative" your sticker plan is. If you use stickers, keep it simple and wheel lock. Give each of your patrolmen a wheel locks and authority to deploy on cars illegally parked in select spots. Also address parking violations on a stakeholder basis as well. Talk to them about the potential loss in revenue should responders be delayed because of illegal parking in their reserved spots. Also describe what you're trying to accomplish and how a sound parking plan can be a force multiplier (Boss, if our plan works, I can reduce the number of patrols and increase security efficiency and efficacy by x-amount).

Start thinking about how you want to accommodate vehicles in terms of their egress and entry. How long should it take them to leave and get in? Are there any chokepoints in the plan that can cause congestion and make for additional security heartaches?

Finally, consider the impact your plan could have on civilian or non-business related entities such as neighbors. Will you have to consider parking off campus? Will your plan cause congestion that impacts them? Will your plan address neighbors and their parking plans? Will your plan have a demarcation for neighbors to know where your property extends?

The post If I Had To Design A Parking Lot, This Is How I’d Do It appeared first on Social Engineering Blogs.

Tactical Walls: Covert Arms Storage

The Security Dialogue Blog — Mon, 24 Feb 2014 15:58:00 +0000

The post Tactical Walls: Covert Arms Storage appeared first on Social Engineering Blogs.

INFOGRAPHIC: Charateristics of a Burglar

The Security Dialogue Blog — Mon, 24 Feb 2014 02:56:00 +0000

The post INFOGRAPHIC: Charateristics of a Burglar appeared first on Social Engineering Blogs.

Black Hat USA 2013 – Let’s Get Physical: Breaking Home Security Systems & Bypassing Controls

The Security Dialogue Blog — Fri, 21 Feb 2014 19:42:00 +0000

The post Black Hat USA 2013 – Let’s Get Physical: Breaking Home Security Systems & Bypassing Controls appeared first on Social Engineering Blogs.

Kenya Mall Shooting – Why It Went All Wrong & What We Can Do To Be Better

The Security Dialogue Blog — Wed, 11 Dec 2013 15:33:00 +0000

Yesterday, the New York City Police Department released a report from its SHIELD initiative about the Kenya mall shooting/terrorist attack. It was a pretty damning report to say the least. Before we talk about the report, let's talk about SHIELD is and why that's important to understand in the context of this report. SHIELD is the NYPD's homegrown information-sharing component with private sector security. It provides analysis on current and future threats. I've previously read some of SHIELD's reports. Some were good and some were typical of fusion center reports - some meat and some potatoes but not a full meal. This report was driven, in part, to go over what NYPD and private security could learn about what happened in Nairobi. There was plenty.

There were some startling revelations:

Kenyan police were VASTLY outgunned. The report states, "The typical Uniformed Kenyan Police Officer is not as well equipped as their western counterparts, typically only carrying a long gun, most commonly an AK-47 style rifle with a folding stock, loaded with a single 30 round magazine. They do not carry handguns, wear body armor, gun belts or have portable radios to communicate." Each of the terrorist were carrying 250 rounds of 7.62 mm ammunition. Lack of body armor and radios to communicate resulted in fratricide. More on that later.
Responding plainclothes officers were also outgunned and had no visible identification. Remember what I said about fratricide? From the report: "Very few of any of the plainclothes law enforcement first responders displayed any visible law enforcement identification such as a badge, arm band, ID card or a raid jacket, making identification as “friend or foe” extremely difficult for other armed first responders."
Realizing the police were outgunned, Kenya made the incident response a military matter. That's as bad as it sounds. The report says, "Kenyan government officials decide to transfer the handling of this incident from the police to the military. A squad of Kenya Defense Forces KDF soldiers enters the mall and shortly afterwards, in a case of mistaken identity, the troops fired on the GSU-RC Tactical Team.They kill one police officer and wounding the tactical team commander. In the ensuing confusion both the police and military personnel pull out of the mall to tend to the casualties and re-group."
Responding military forces used an RPG-7 as a room clearing tool. I kid you not. And the destruction was insane. "It is reported that at some point during the day the Kenya Defense Forces decided to fire a high explosive anti-tank rocket (possibly a RPG-7 or an 84mm Recoilless Rifle) as part of their operation to neutralize the terrorists in the Nakumatt Super Market.The end result of this operation was a large fire and the partial collapse of the rear rooftop parking lot and two floors within the Nakumatt Super Market into the basement parking."
It is possible the terrorists escaped in part because the Kenyan security forces failed to secure a perimeter. It is rather elementary for the very first thing Western police do in these scenarios is to lock down the perimeter. No one comes in or out unless they can be positively identified as a "friendly". This credentialing occurs by checking IDs and only first admitting law enforcement and first responders to exit upon verification.
The mall employed unarmed officers who performed unsatisfactory "wand searches". This is irritating to say the least. Why? Unarmed officers are appropriate for certain environments and are the way to go in most environments. However, in high value targets, such as mass gathering locations in places like Kenya, I would have used an armed component. Armed officers are not only armed but can be equipped with radios and are usually uniformed. This makes identifying them for law enforcement somewhat easier. Also, armed officers can do things unarmed officers can't due to safety concerns such as locking down perimeters and evacuating victims.
Wand searches are weak. I dislike them with a passion. Why? Officers get tricked into believing a search was "good" because the wand didn't annunciate. This is all kinds of bad. A search should be thorough in high value targets. If you're going to employ officers and have them search, have them be thorough and do it without a wand. I would use the wand only in environments where I had other search mitigators in place such as backscatters or X-ray search devices.

So what does this attack teach us in the West?

The desire of terrorist groups to attack mass gathering locations is still very alive.
Places like malls should consider Kenya to be a warning. If you're in mall security, I highly suggest going over your active shooter plan and rehearsing it on a fairly regular basis with local police departments and simulated shooters. In these exercise, test not just your ability to minimize casualties but to also test your security apparatus under stress. This is best accomplished by "killing" responders, taking hostages, attempting escape, and causing confusion among responders. Get your people used to chaos in these scenarios.
Never do wand searches at high value targets and test your people regularly. I've gone over why I think wand searches are bad. So let's examine why you should test and train your searchers regularly. Searching is one of the most important yet often neglected security components. We usually pick rookies and the "lowest common denominator" to do this function because it's "easy". Doing good and thorough searches that you can go to sleep easy with at night are not easy. Searchers should be trained on subject "tells", physical characteristics of forbidden items by touch, sound, smell, and sight, the tools they can use to do searches better, etc. They should also be regularly "red-teamed" which is to say you should have a non-attributable person walk through security and see what they can get through. When they're done, they should report to management their findings.
Here's a video I did on how I would search bags:
CCTV and analytics are EXTREMELY important to an active shooter scenario. There are several takeaways from what we learned about CCTV and the lack of analytics in Nairobi. First, CCTV coverage was spotty in some areas. Also, the CCTV coverage was easily identified and avoided by the terrorists. We also know while they had remote viewing capability, it was five miles away and more than likely not cross-fed into the police. While a CCTV monitor can't identify every threat, video analytics can alert them to suspicious activity. At the very least, consider it an option.
Garages and parking lots should be regularly patrolled. While there was a guard posted at the entrance of the garage, had a response element been closer by, they could have locked the exterior doors to the mall.
Train your employees on how to sound the alarm and IMMEDIATELY lock down their storefronts and secure customers. I would consider including them as a part of your active shooter training as well. Make that mandatory training for all storefront management and their trusted employees. I would include it in a leasing agreement if I had to.
Have a HIGHLY accessible public address system to sound the alarm.
Train local non-law enforcement responders on the need to "shoot, move, and communicate". Seriously, I can't stress this enough. There is a huge debate in the US surrounding concealed carry permit holders as responders. I'm okay with them responding, though I prefer they receive some training on the need to identify themselves to law enforcement prior to responding via a phone call if time and circumstance permit.
Equip every security person and law enforcement officer with a radio. If you want to avoid wasting your time clearing rooms that have already been cleared or fratricide, then you HAVE TO equip your responders with radios and share your frequencies with them.
Train your personnel on reporting formats like SALUTE. We've covered this before so I won't bore you with the details.
Train your security management personnel on casualty collection points, IED mitigation, cordons, perimeter searches, and periodic vulnerability assessments. These things can't be overstated in training. Trust me. You'll thank me for this later.

The post Kenya Mall Shooting – Why It Went All Wrong & What We Can Do To Be Better appeared first on Social Engineering Blogs.

Dark Triad Recap #2

Practical Persuasion Blog — Fri, 21 Jun 2013 04:57:03 +0000

We’ve covered a lot of new ground since we created our Dark Triad Summary page last month. As our research continues to progress, we’ll update this page periodically to help you stay up to speed. As always, feel free to contact us with questions, or drop a comment on a past or future Dark Triad post if you have any tips or insights you’d like to share.

Here’s the latest version of the Dark Triad Summary page:

What Is The Dark Triad?

The Dark Triad is a term used by social psychologists that refers to three inter-related personalities: sub-clinical narcissism, sub-clinical psychopathy, and Machiavellianism. The connections between these traits were first documented in 2002 by psychologist Delroy L. Paulhus.

How Are The Dark Triad Personalities Measured?

The most common tool for measuring sub-clinical narcissism is the Narcissistic Personality Inventory, or NPI. It usually contains 40 items, although the Corry version uses only 23. Psychologists still debate the validity of this tool. The most common tool for measuring sub-clinical psychopathy is the Psychopathic Personality Inventory Revised, or PPI-R.

In 2010, personality researcher and Dark Triad specialist Peter K. Jonason published a consolidated tool for measuring Dark Triad traits called The Dirty Dozen. The tool contains 12 of the most reliable and representative items pulled from the NPI, PPI-R, and MACH-IV (Machiavellianism) tools.

Narcissism

1. I tend to want others to admire me.

2. I tend to want others to pay attention to me.

3. I tend to expect special favors from others.

4. I tend to seek prestige or status.

Psychopathy

5. I tend to lack remorse.

6. I tend to be callous or insensitive.

7. I tend to not be too concerned with morality or the morality of my actions.

8. I tend to be cynical.

Machiavellianism

9. I have used deceit or lied to get my way.

10. I tend to manipulate others to get my way.

11. I have used flattery to get my way.

12. I tend to exploit others towards my own end.

How Does The Dark Triad Relate To The Big Five Personality Traits?

The Big Five personality traits are Extraversion, Agreeableness, Conscientiousness, Neuroticism, and Openness:

Extraversion: This trait includes characteristics such as excitability, sociability, talkativeness, assertiveness and high amounts of emotional expressiveness.
Agreeableness: This personality dimension includes attributes such as trust, altruism, kindness, affection, and other pro-social behaviors.
Conscientiousness: Common features of this dimension include high levels of thoughtfulness, with good impulse control and goal-directed behaviors.
Neuroticism: Individuals high in this trait tend to experience emotional instability, anxiety, moodiness, irritability, and sadness.
Openness: This trait features characteristics such as imagination and insight, and those high in this trait also tend to have a broad range of interests.

All three personalities are associated with disagreeableness (low agreeableness). Narcissism and psychopathy both share an association with high extraversion. Research suggests that narcissists can be neurotic; psychopaths generally are not.

How Are Dark Triad Traits Exhibited?

Personalities exhibit themselves through various factors. Our simplified narcissism factor model has two factors, borrowing from the Corry Two-Factor Model:

Status-Seeking (Trying to assume power or control over others through leadership or expertise)

Overconfidence (Believing others are more interested in oneself than in other things)

Our simplified psychopathy factor model has three factors, borrowing from the PPI-R Three-Factor Model:

Recklessness (Disregarding consequences of one’s actions to oneself or to others; lack of planning/goal-setting)
Nonchalance (Disdaining potential danger/embarrassment; inability to feel stress)
Coldheartedness (Lacking remorse when one’s actions negatively affect others)

The Big Question – What, if anything, enables Dark Triad males to sleep with more women, more often, with less romantic commitment?

There are at least three possibilities:

1. Dark Triad males may employ unique social strategies that effectively enlarge their pool of potential successes.

One online survey showed Dark Triad males have lower mate-selection standards for traits like creativity, kindness, and liveliness, and characteristics like physical attractiveness and social status. If that is true, then these men are simply lowering their standards and increasing their options, not attracting more women. However, another study’s findings suggest that narcissists do not lower their standards when choosing which women to target. Although the men in this study were paid to approach women, they weren’t incentivized to approach women indiscriminately. In other words, more approaches did not increase their individual payouts. They were motivated purely by personal preference. In our opinion, the second study’s findings are stronger.
In Positive Psychopathy, we examined 7 different psychopathic traits featured in Kevin Dutton’s book, The Wisdom of Psychopaths. Four traits – focus, mental toughness, fearlessness, mindfulness, and action – are traits that strategically help psychopaths in social situations, including dating and seduction:

Focus – The ability to mute distractions in extremely hectic environments. Focus is obviously a useful trait in any situation. By quickly seeing, processing, and remembering tiny details most people miss, psychopaths with this traits excel where others fall behind.
Mental Toughness – The ability to remain unfazed in high pressure situations. A psychopath with a high level of mental toughness does not respond negatively to criticism or rejection; he simply continues on until he succeeds. Only a psychopath absorbs stress this easily. For the rest of us, high rates of failure are inefficient and emotionally taxing.
Fearlessness – The ability to approach high-risk situations without apprehension or inhibited faculties. It allows the psychopath to try things that other people don’t attempt. These endeavors have fewer competitors, and succeeding at them is easier for the psychopath as a result.
Mindfulness – An intense, Zen-like state of attention for a current task. Very similar to focus, mindfulness enables the psychopath to ignore not only present distractions, but also future worries and consequences.
Action – The companion trait to fearlessness. Action allows psychopaths to constructively channel their natural disdain for risk and embarrassment; they proceed with a task that’s likely to fail even if they know it probably will. Because psychopaths attempt high-risk endeavors more often than most people, they can claim more individual successes. From a distance, it seems as if they succeed at them more often than they actually do.

2. Dark Triad males may possess personality traits that are intrinsically attractive.

In Zeroing in on Narcissism, the researchers isolated boldness as a mediator of narcissistic attractiveness. They did not, however, test what common narcissistic behaviors best demonstrate boldness (besides simply walking up to girls and blatantly asking for contact information.) We plan on using Vangelisti’s list of narcissistic conversational tactics to help us determine what some of these behaviors could be.
Charm, one of Kevin Dutton’s seven positive psychopathic traits, is the exception to the other six; the rest are strategically useful because they statistically increase success rates for psychopaths in social situations. Charm, however, is intrinsically attractive; it almost always succeeds. Whether or not it can be learned or mimicked is an open question.

3. Dark Triad males may appear more physically attractive than the average male.

“Zeroing in on Narcissism” also isolated physical attractiveness as a mediator of narcissistic attractiveness. Cleanliness and neatness of dress were two characteristics common to narcissists in the Back Zero-Acquaintance study, but the researchers didn’t control for physical attractiveness. Given the results of these two studies, it seems that narcissists put more effort into their physical fitness and aesthetic appearance than the average person. This isn’t surprising, but it is important.
Decades of research suggests that attractive people are afforded more benefits than unattractive people. If the Dark Triad males is in fact better-looking than the average male, his successes in and out of the dating world could simply be the result of a kind of stereotyping called behavioral confirmation.

The post Dark Triad Recap #2 appeared first on Social Engineering Blogs.