A large multinational company was about to undergo a full security audit, and the CIO didn't want any surprises. He was looking for advance warning of any problems that might be discovered in the formal audit so he could be ready with a remediation plan.
The company, which employs more than 10,000 people, is responsible for critical elements of physical infrastructures around the world and is regularly targeted by a wide variety of bad guys, including terrorists and foreign governments. The CIO believed the company had some problems with physical security and end-user systems but thought he had the servers and network locked down.
To get a true picture of the company's overall security, the CIO hired my team to do a preassessment without informing the majority of employees. For political reasons, he had to let several people know the test would be performed. And just to make my job more of a challenge, the director of the network operations center vowed my team wouldn't break into his systems or facilities.
Most of the company's assessment funds had been allocated to the formal audit, so the preassessment budget was tight. We had an advantage in that I'd been at the facility before for an unrelated reason, so I knew the makeup of the main facility and some of its physical weaknesses, which would save us a day or so of reconnaissance.
We typically begin an espionage simulation by gathering intelligence on the company's physical, technical, and operational infrastructures, and on its personnel. Our search revealed a variety of information about the contracts the company was pursuing, as well as details on its facilities. Most troubling, we found maps of some facilities in high-risk areas, which could help malicious parties target the company and its people. We also found a corporate phone directory intended for internal use. This would have immense value for the social-engineering attacks we were planning.
We uncovered information about the company's generic technical architecture by looking at trade Web sites and postings the company's IT staff had made to newsgroups. We knew the company had a Windows infrastructure with Sun Microsystems computers handling most of the server duties. Knowing the hardware and software let us predict technical vulnerabilities and helped us prepare to target the systems, both internally and externally.
We also found a variety of corporate domains to target. Later we learned that the people responsible for managing the company's Internet presence didn't know about some of these domains, which provided back doors into the company. Along the same lines, our search turned up more than 100 Web servers, though the IT staff had figured there were fewer than a dozen. We learned of the discrepancy when we informed someone from the CIO's staff of our findings at a breakfast meeting our first day on-site.
As happens in about half our reconnaissance efforts, we found evidence of illicit employee activities. For example, one employee was using his company E-mail account to sell information on how to perform criminal activities.
After a day and a half of this preliminary investigation, we ventured on-site. Three of us were involved in the internal test: Kevin, a technician familiar with attacks on Unix and Windows (the company's typical environments); Jeff, who would focus on social engineering and could assist on the technical side; and me. My focus was on the "black bag" aspects of the test--physically going into a high-risk environment to steal information or perform other high-risk tasks to support the espionage operations.
Our first job was to get into the building complex, which housed multiple tenants sharing a common entrance. An outside firm handled the facilities management and physical security.