After the Colonial Pipeline ransomware attack shut down the entire pipeline system for over a week, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) issued a directive requiring all pipeline companies to take immediate actions to mitigate cyber risks. The first cybersecurity directive was issued on May 27 and the follow-up directive was ... READ MORE
Physical
Physical Penetration Testing Basics – A Primer
Physical Penetration Testing is an assessment that involves testing physical security controls to see where they might fail. While this can include a number of different activities, including social engineering, many doors and locks are designed to simply slow down an attacker, not completely protect against one. At RSM, we constructed a sample door for demonstration and ... READ MORE
Dirty Deeds…. On Video
Recently the team and I were engaged in a physical penetration test where our goal was to gain access to multiple facilities and data deemed sensitive by the client. During our internal discussions for the engagement it was brought up that recording portions of the assessment could provide some additional benefit for the client. As they say, a picture is worth a thousand ... READ MORE
Do it Live! – Social Engineering Training
Social engineering one of the most utilized attack vectors used in real world breaches. These come in the form of phishing, vishing, device drops, and even in person. A lot of research and prep-time comes into play with social engineering as we have to know the target, the objective, the environment, and most importantly ourselves. Prior to security, I performed in theatre for ... READ MORE
Gotta Vish ‘Em All: Managing a Large Vishing Engagement
I was recently tasked with managing a rather large vishing campaign targeting a major financial institution. Normally when we get these kinds of campaigns, we're tasked with making ten to fifty phone calls (whether or not someone answers) and report the results. This campaign differed in that we had to talk to 100 individuals. Now it doesn't sound so bad, right? In reality, our ... READ MORE
Identity Legitimacy: Making Your Own ID Badge
A big part of performing any sort of physical penetration assessment involves a little bit of social engineering. More often than not, we choose to spoof a legitimate employee or vendor to attempt to enter the facility. Now, simply saying that you are Joe Schmo from Corporate isn't likely to get you very far. A successful tester will have to look the part, dress the part, and, ... READ MORE
Personal Preparation for Active Shooter Events
It's an uncomfortable topic to address, and this is certainly a change in tone for the War Room. But unfortunately, it's 2016, and this is the world in which we live. Active Shooter events are now a significant factor in the consideration of organizational security policies and procedures and are steadily increasing in frequency year to year. According to a 2014 study by the ... READ MORE
Bypassing Common Physical Security Interior Controls
A few months ago, I wrote a post about some of the simple techniques we use to get around common perimeter security controls, and I realized today that I've gotten you onto the property and left you high and dry! So, I would like to remedy that today and discuss some of the more successful tactics we use in our day-to-day work to get around interior controls. As in the previous ... READ MORE
Beer:30 – Physical Security Assessment
Our very own patchwork talks about conducting a Physical Security Assessment for RSM's Beer:30 web series. ... READ MORE
Bypassing Common Physical Security Perimeter Controls
On a recent physical penetration test, I encountered a curious, but not uncommon, scenario. The target organization sat spread across multiple, disconnected floors in a shared, third party-owned high rise. The large first floor lobby was a public space and included a central guard desk (which really only functioned as an information kiosk). The target did include a reception ... READ MORE