The pandemic was the perfect time to gain physical access to abandoned or minimally staffed locations. While the opportunities to tailgate and piggyback into facilities have lessened due to low foot traffic, it is still an easy way to gain access. With locations still being abandoned or minimally staffed, even today, it gives an attacker more time to locate poorly secured or unlocked ingress points.
<p>An attacker can just as easily knock on the door. I recall an onsite social engineering I did during the middle of the pandemic where I posed as a fire extinguisher inspector. I looked the part with steel toe boots, blue jeans, a work shirt I had custom made that matched their vendor, and a clipboard. The location I visited would typically have close to 100 people during the workday, but due to the pandemic, they adopted a work from home policy and there were probably only five people when I visited. I rang the bell at the front door several times before an employee just popped the door open. I did not even have the chance to give him my cover story before he went back to his desk located near the rear of the office. He was more irritated that his work was interrupted than he was concerned of verifying a vendor he let into the building. Sometimes it is just that easy!</p><p><br /><br />Once an attacker has access to a location, there are plenty of options. They could do something as simple as steal equipment which may have sensitive information on it or do something more malicious that could allow persistent access to the network. For persistent access, they could locate a live network jack and connect a device that calls back to an attacker controlled IP. The attacker could then use this as their foothold within the network. An attacker could also connect a wireless device to the network and as long as they were within a reasonable distance, they could just connect over Wi-Fi. These are just two examples of devices being used but there are numerous other methods. An attacker could just clear the password for the local administrator if workstation hard drives are not encrypted. The attacker would then just log in to the host to begin an attack or load up a beacon that would connect back to their Command and Control (C2) server. This may sound unrealistic but on some of the engagements I have been on, entire floors were devoid of employees, and I was able to work at a relatively calm pace. Before the pandemic I was typically rushed and would have to locate an empty workspace before I could begin. Due to social distancing recommendations, you are typically given a wide berth with what few people are at a location. This also gives an attacker more time to rummage through desks to find sensitive information such as passwords or PII.</p><p><br /><br />These are only a handful of scenarios that could play out which is why it is important to remember security is about defense in depth. Small steps to increase your security posture will pay off over time and help prevent your organization from ending up in the news.</p>