Embed Size (px)
Citation preview
Black am W t sBlack Team War Stories
02© NCC Group 2017
Keypad entry 04
Brief, brave & brazen 06
Keys to the kingdom 08
On a need-to-know basis 10
Security guards & anti-tailgate barriers 12 The government building 14
All security guards are vigilant, right? 16
The confident customer 18
Overt to be covert 20
A very helpful security guard 22
Contents
03© NCC Group 2017
We’re all aware of the ever-evolving threat that organisations are facing from cyber criminals.
But while security against digital attacks is improving, many businesses are focusing so much on securing their networks that they’re forgetting to protect their physical assets and, more importantly, their people.
That’s where Black Team engagements come in to play.
Part of NCC Group’s Full Spectrum Attack Simulation assessments, Black Teaming aims to help a business spot the weaknesses in its physical controls and staff awareness that facilitate actual access to premises.
In this ebook, you’ll read ten separate stories from our Black Team engagements out in the field. Some required more creative thinking than others, but all ended with us successfully infiltrating the client’s physical location.
We hope that each story will not only indicate the importance of physical location security, but also provide executives and senior management with an insight into how a physical breach can lead to wider compromise.
Find out more about our Full Spectrum service at:nccgroup.trust/full-spectrum
Keypad entry
1
The weather during the planned week of testing was scorching, the target building was situated in a very closed environment and all staff knew each other.
During the day, there were fire doors left propped open and many opportunities for an attacker to remove things.
This tactic wasn’t in our interest as doing so would not emulate the abilities of covert and methodical attackers. A Black Team wants its true activities to stay undetected (for a period of time at least, if not indefinitely).
Long term static surveillance was not possible without being noticed so we deployed covert cameras in bushes around the car park.
These cameras, coupled with our online intelligence gathering, confirmed that employees didn’t use staff ID cards or lanyards. However, with staff knowing each other so well, we were aware that prentending to be an employee during office hours would be out of the question.
The security for the building came in the shape of a four-digit pin pad and an alarm system which was switched on outside of office hours.
Using a low-tech attack we were able to compromise the pin pad by marking the individual pins with a felt-tip pen at about 7am and subsequently returning after office hours to assess the fingerprints and remaining markings.
Knowing that the first few staff members would have inadvertently displaced the markings for us, to this day I often wonder at which point those few staff members became bemused by the green ink inexplicably smudged across their index fingers.
Once the four digits of a pin pad are known you only have 24 possible key combinations The brute forcing for this particular assessment didn’t take very long.
Having conducted our initial surveillance, we knew when the first and second employees were expected to show up: 7:30am and 7:40am respectively.
We also knew that the first member of staff would head straight to the first floor and open all of the roof windows.
Our open source intelligence (OSINT) gathering had uncovered planning applications for these windows from years earlier, made due to the excessive temperatures inside the office in the summer months.
With that intelligence to hand, we planned our infiltration. One consultant would maintain a temporary static observation post - controlling the entrance, car park and road - in order to provide a running commentary and be on the look out for any approaching staff. The second would conduct the infiltration and deploy a remote-access network device inside the building.
At 7:30am the first member of staff arrived. As expected, he went to open the windows upstairs, providing us with the opportunity we needed to gain access and deploy audio bugs and a network device.
For a brief moment it seemed that the second member of staff had arrived earlier than expected, at which point the consultant inside was given the ‘stand-by’ message, hiding under the (unusually small) reception desk.
Luckily for us it was a false alarm, allowing the operation to continue.
During that week we were able to access the building covertly on a number of occasions and extract a significant amount of our client’s own confidential customer information.
05© NCC Group 2017
Keypad entry
Brief, brave & brazen
2
0101010010101001010100101010010101001010100101010101001010100101010010101001010100101010010101010100101010010101001010100101010010101001010101010010101001010100101010010101001010100101010101001010100101010010101001010100101010010101010100101010010101001010100101010010101001010101010010101001010100101010010101001010100101010101001010100101010010101001010100101010010101010100101010010101001010100101010010101001010101010010101001010100101010010101001010100101010101001010100101010010101001010100101010010101010100101010010101001010100101010010101001010101010010101001010100101010010101001010100101
0101010010101001010100101010010101001010100101010101001010100101010010101001010100101010010101010100101010010101001010100101010010101001010101010010101001010100101010010101001010100101010101001010100101010010101001010100101010010101010100101010010101001010100101010010101001010101010010101001010100101010010101001010100101010101001010100101010010101001010100101010010101010100101010010101001010100101010010101001010101010010101001010100101010010101001010100101010101001010100101010010101001010100101010010101010100101010010101001010100101010010101001010101010010101001010100101010010101001010100101
The client, a global engineering company, was concerned about the security of a satellite office it had temporarily leased to oversee a large project in London.
The target building was multi-occupancy and the reception desk for the main building entrance was only there to greet individuals and answer queries. Entering and leaving was not an issue, but our target leased the top two floors and staff numbers were low. At peak time, they couldn’t have had more than 20 employees on each floor.
The engagement was very short and so researching and developing suitable social engineering scenarios was not possible.
Attempts to take photos of employee passes as they left the building was not realistic either due to the location and ongoing construction work at the site. It was also raining at the time and standing outside for hours on end was not my idea of fun.
We discussed some ideas in a nearby café but it was very clear that entering covertly was not going to be possible. So, we decided to tailgate our way in and deal with any confrontation as it happened. I believe management like to call this approach a ‘dynamic risk assessment’!
We allocated ourselves a floor each and set off to find an employee/visitor to tailgate. My colleague, a very experienced consultant and social engineer, was the first to successfully tailgate his way inside the office – he even made himself comfortable in a meeting room.
As I could still see staff through the door window, I was able to provide a running commentary of all activities, highlighting when the coast was clear.
We had planned to wait for the last member of staff to leave their desk, but this didn’t seem likely to happen soon. So, brazenly, my colleague decided to leave his hiding place and take a stroll around the office while still on the phone to me. The remaining member of staff didn’t seem fazed and after a while my colleague reappeared with an RFID visitor pass. Amazing work.
We used the pass to access the top floor where the project managers worked and the reception desk for both floors was located.
There were a few managers still at their desks, so while my colleague pretended to have a phone call in their presence in order to keep an eye on them, I was able to quickly search through the reception desk drawers. They weren’t locked and I managed to find a stash of visitor passes – so I helped myself to one of those.
We reconvened the following day dressed smartly and occupied a meeting room.
With our laptops plugged into the client’s network, we realised that the floor ports hadn’t been activated for the room.
At this point, my colleague decided to go for a wander around the office and sat down next to a member of staff.
Not a word was said as my colleague blatantly plugged his cable into the network and started running his tools. He couldn’t believe his luck either when the employee left his desk for several minutes without locking his computer.
Not being one to sit idly by, I focused my attention on the locked cupboard in the corner of the meeting room. A wafer lock was all that stopped me from taking photographs of the sensitive documentation contained inside, which included staff medical records and photocopies of ID documentation. I made a note to highlight this security vulnerability in the final report.
With just 20 minutes until the room was booked, I deployed an audio bug, packed up and listened to the meeting from several floors down.
We were surprised by the lack of staff vigilance. We’d been in and out of the offices several times, made cups of coffee in their kitchenette and wandered around.
Our time was nearly up when my colleague spotted the company’s porta cabins outside. They were using fingerprint biometrics to stop people like us gaining access to the site office.
The biometric security system would have been great, but it didn’t prove to be of much use when my colleague borrowed a branded high-vis jacket from the office and flashed his stolen visitor pass at a security guard. To my amazement, the guard let him in.
07© NCC Group 2017
Brief, brave & brazen
Keys to the kingdom
3
The client had provided very specific objectives: gain access to the network and compromise customer data. Only two members of the organisation were aware of the assessment taking place and they were keen to show their CEO that investment must be made in their security programme.
At the beginning of the job, we arranged a face-to-face briefing with our on-site contacts at a coffee shop away from the target building as we didn’t want to be compromised on the first day.
These types of engagement attract a variety of clients; some have been forced to have an assessment to keep investors happy, while some genuinely want to understand any security flaws that might exist. This client was very much the latter and wanted to really demonstrate how important security was in the organisation.
During the briefing, we were asked how we were getting on and whether or not we needed help getting in.
The client seemed surprised when we said we were doing just fine and had already spent part of the first day setting up shop in one of their many meeting rooms. They were sure that at least their reception team would have challenged us upon entry.
This was going to be an interesting engagement.
We found out that a security guard protects the building from about 6pm onwards and had been instructed not to let anyone in after business hours. With that in mind we gulped our coffees and headed back to the target building. We had a lot to do and we wanted to do it when most employees had left for the day.
We ended up working most days until 11pm and ordering pizza to the site. The security guard was getting used to us working late most evenings and we often chatted to him when we waited for our deliveries.
One evening we gained access to the clients call centre suite and were fiddling with various computers to see what we could pilfer or compromise when the guard walked in.
We thought that at this point he would become suspicious, but fortunately he was so used to us working around the building he completed his security checks and moved on.
Happy days!
With most employees having left for the day, we methodically worked our way around the various offices. We picked the locks on pedestals, found network passwords on post-it notes and lost count of the amount of staff RFID cards left in desks.
One of the RFID cards we found was in the pedestal of the CFO. They were just plain white cards and so, noting an opportunity to have constant access across the entire site, we swapped it with a blank card of our own. At the end of the engagement we returned to the CFO’s desk, picked the lock again and placed the card back where we had originally found it.
We were hacking the client’s network remotely during the day and then spending the remainder of the evening working across the various offices and floors.
We had deployed remote access network devices, compromised many staff accounts and located customer data.
Although the customer data was stored off site on secure servers, we were able to steal the VPN certificates for access and reuse known passwords. Call centre staff had also saved recorded customer phone calls and some even contained sensitive data such as bank card details and personal information.
As with all engagements we conduct, if we identify gaping security holes like these, we debrief the client as soon as we can.
The client was genuinely concerned and wanted to fix the vulnerabilites right away, even inviting the company lawyer to the various debriefings.
We were only too happy to help.
09© NCC Group 2017
Keys to the kingdom
On a need-to-know basis
4
We’d managed to book the hotel opposite the client’s building. This was useful for several different reasons, such as the potential to eavesdrop on the conversations of staff in the bar and restaurant. Plus, we could see who was coming and going from the target building.
My OSINT hadn’t managed to find much, but we knew the client leased its office space and that it was one of several sites across that region of the UK.
It was a small office environment and the staff were likely to know each other. An unknown face tailgating would be challenged in no time. Interestingly, they didn’t use staff ID cards, so we assumed pretending to be an employee from one of the company’s sister sites might be possible.
From our hotel we were able to find a stairwell to watch from. There was building work going on in the hotel, so we knew it was unlikely that fellow residents would see what we were doing.
We had our camera with telephoto lens to hand and were able to gather a wealth of information. We could see inside the meeting rooms and obtained some superb imagery of the documentation laid out on the tables.
We could also clearly see the computer screens and were able to note when staff started and finished work. If we weren’t required to access the site, we could have gathered everything we needed from the comfort of our hotel.
We knew that attempted access into this environment would be tricky, but we decided to try. With some props in hand, my colleague claimed to be from the leasing company and used the ruse of assessing the fire alarm call points. From my observation point in the hotel, I was able to take photos of him being led around the office space to each call point.
It wasn’t in our scope to do so, but we could have easily injected malicious USB sticks into devices around the offices.
The following morning, I tried my luck by using the pretext of being an employee from one of the client’s sister sites. I researched the addresses, job roles and names of managers in order to prepare myself to answer any questions.
I had to tailgate my way through the first set of doors. Upon approaching the reception desk, I explained who I was in the hope that the receptionist would leave me alone with her logged-in computer while she found someone to host me.
However, this wasn’t the case and instead a Senior Manager invited me into one of the meeting rooms we’d previously been spying on from the hotel. He and I talked for a while about where I worked, my management and ongoing projects.
My colleague and I suspected that another member of staff, the Office Manager, already knew an assessment was taking place. Our suspicions were confirmed when she called the Senior Manager away from the meeting room briefly, although I wasn’t particularly worried as he’d left me alone with some floor ports to take a look at.
When the Senior Manager returned, he explained that I’d need to come back later as he was somewhat busy. It was very clear at this point that he was now aware of the assessment, but he was polite and I remained in character.
Although we’d highlighted some significant vulnerabilities in the client’s security, we also expressed our concerns that more individuals knew of the test than was necessary. When this happens, it’s not our assessment that is impacted but the long term security of the company’s personnel and data.
11© NCC Group 2017
On a need-to-know basis
“...more people knew of the test than was necessary. When this happens, it’s not our assessment that is impacted but the long term security of the company”
04© NCC Group 2017
Security guards & anti-tailgate barriers
5
Physical reconnaissance had taken place and the OSINT exercise had identified internal office imagery and staff ID cards. This allowed us to replicate the cards in readiness for a breach scenario.
This building was a cross between an office and warehouse. It was like a mini fortress. CCTV was everywhere, radio frequency identification (RFID)controlled anti-tailgate barriers were installed and a security guard manned the small side office to deal with visitors and deliveries.
As is often the case in these exercises, time was limited and so organising a meeting to get us in would have been tricky and time consuming.
The intelligence picture at this point was therefore not developed enough to confirm exactly which business units sat inside. Developing that further would have cost us a lot of time we didn’t have.
We brain dumped some ideas over a brew in a nearby café until we had something suitable to build upon. It was clear that targeting the security guard was the only way in. To do that we needed to develop a situation whereby the guard would not just let us in, but it would be in his interest to do so.
Outside of the target building we stood in clear view of the security guard at his desk, while we overtly pointed at the CCTV cameras and made notes on our clipboard. We wore high-vis jackets with the company name printed on, the correctly coloured lanyards and forged ID cards.
We approached the small reception room where the guard was sat, placing our clipboards on his desk while we rifled through the fake paperwork and proceeded to explain who we were and what we were doing.
We told him that we worked out of the Crawley office auditing the physical security controls for the corporate estate and that we had the authorisation documents should he need them.
Without allowing him to jump in and ask any questions, we stated that we would be auditing the site’s internal environment and also be assessing its external controls.
The key for us here was to be seen as authoritative figures, as opposed to asking for his permission.
One of the team even requested that the guard fill in a security questionnaire and asked him if he wanted us to wait in his office while he completed it.
Unsurprisingly, the offer of us standing over him while he completed the form was turned down, to which we promptly told him that we would grab a coffee from the canteen before getting started.
With seemingly no desire to ask questions, he happily gave us access to the building.
And we did actually collect the completed questionnaire on our way back out!
13© NCC Group 2017
“It was clear that targeting the security guard was the only way in. To do that we needed to develop a situation whereby the guard would not just let us in, but it would be in his interest to do so.”
Security guards & anti-tailgate barriers
The government building
6
An online intelligence gathering exercise unearthed social media and news articles with imagery of staff members, all of whom were wearing their lanyards and ID cards.
This in itself was a great find, but there were two snags: all of the lanyards were of a custom design (we did not have time to order copies online) and the ID cards were worn facing inwards (presumably for operational security).
We knew that the custom lanyards would be an issue but continued with the plan to gather imagery of the front of the ID cards. Fortunately for us, many staff members would leave the building while still wearing their lanyards and passes, so we set up an observation post from an adjacent car park and started taking photos.
This tactic, combined with casually engaging staff in conversation while covertly filming them, ensured that we were able to gather some great imagery.
We promptly returned to our hotel to print off some fake staff passes using the images we’d gathered, which allowed us to create accurate forgeries, both front and back, word for word.
Even with accurate ID cards, getting the right lanyards was still proving to be an issue. We were anxious that we’d be challenged for wearing the wrong ones, but went ahead with our plan anyway.
Our suspicions were correct; an attempt to tailgate a staff member through the RFID controlled doors failed at the first hurdle. We were met with a firm but polite response: “I’m sorry gentlemen, I can’t let you in. You have the wrong lanyards.”
Holding our forged cards (still warm having just come off the printer) one of us asked: “That’s a shame, we have our passes with us. Do you happen to know where we might be able to obtain the correct lanyards from?”
We were directed to another building on the compound which dealt with all things ID and lanyard related. We realised this could prove an issue if they attempted to look us up on their system, but our options at this point were slim. Continued tailgating attempts without the correct
credentials could see us being apprehended.
Time for plan b.
Our reconnaissance efforts had identified a very helpful receptionist in the main building. And, following some brief research of additional sites this organisation owned, including the teams they employed in those buildings, we’d created a plausible scenario.
One of us returned to the main building’s reception and explained to the receptionist which site we had come from and that - although we were here for meetings - there were complaints about us wearing the wrong lanyards. We asked the receptionist if she had any spare lanyards.
Although she accepted the story, she stated that she’d need to verify our identity. At this point, one of the forged ID cards was handed over for a visual inspection.
She scrutinised it, front and back, before telling us there would be spare lanyards somewhere that we could have.
We were in.
15© NCC Group 2017
The government building
All security guards are vigilant, right?
7
We were in a vehicle situated in a car park adjacent to the target. We were doing some physical reconnaissance, wireless reconnaissance and using a camera with a telephoto lens to capture imagery of staff, security guards and ID cards.
The site was fairly big and all staff members used RFID cards to access the building. We decided to assess the area on foot, which usually allows us to pick up any finer details. Plus, it often provides an opportunity to see how vigilant the security guards are.
While I was taking a slow walk around the building and the car park, an eager security guard saw the opportunity to challenge a would-be miscreant in an effort to investigate further. Fortunately for me, I had already researched the surrounding companies and buildings.
I confessed that I was due to meet a friend, was looking for ABC House and asked if he could assist me in finding it. He was more than happy to help, but knew nothing of the building I described.
He promptly invited me inside to ask the receptionist, tapping his RFID card onto the reader as he opened the door for me.
Once inside, I again explained my situation. After a moment of deliberation, we realised between us that the building I was looking for sat opposite. Great!
I thanked them both for their time as the security guard escorted me out of the doors on the other side of the building.
Before parting ways, we got chatting and I soon found out what time the security team operated. We swapped names and agreed to have a tea and another chat if I was passing. The covert video recording I captured on my phone of the reception area turned out to be pretty useful, too.
Armed with the knowledge of when the security team would not be on site, and once again using forged staff ID cards, the team was able to tailgate its way throughout the various floors, dropping ‘malicious’ USB sticks on the way and finding all sorts of useful corporate information (including passwords left on desks).
The team was also able to deploy a remote access network device behind a television in a meeting room and recover it covertly the day afterwards as well.
A job well done.
17© NCC Group 2017
“We decided to assess the area on foot, which usually allows us to pick up any finer details - plus, it gives us an opportunity to see how vigilant the security guards are.”
All security guards are vigilant, right?
The confident customer
8
A pre-assessment conference call with the client identified two things:
1 They had previously been tested by another company that apparently got lucky getting in. As a result, the client confidently predicted that we’d fail.
2 They were situated in a multi-occupancy building in a bustling part of London, with a police station around the corner, a 24-hour team of security guards and RFID controlled doors. The client had also highlighted that anyone accessing its floor via the main entrance would be greeted by no less than three receptionists, an additional hurdle.
Careful planning would be required for this engagement, so we ran several surveillance and reconnaissance phases, monitored the radio communications of the guards and mapped the CCTV locations.
Our OSINT uncovered floorplans, staff imagery and internal office and building imagery. Some of this was found in historic leasehold brochures and some on employees’ social media pages.
We knew that all building staff had to show their passes to one of the security guards on entry and fortunately we’d managed to obtain photographs of these during our surveillance of smokers standing outside of the premises. Creating accurate forgeries proved easy enough.
At approximately 7am the following morning, knowing that few staff would be on site (and, more importantly, a lack of welcoming receptionists) entry was gained. Two security guards were manning the main building reception desk, although were clearly too busy chatting to provide much of a deterrent. A simple “good morning”, accompanied by a wave of my fake pass, was enough to keep them happy.
During these assessments, my motto is to always take the stairs; being stuck in a lift with an employee is a potentially damaging situation.
I walked up to the client’s offices on the first floor and noted that they were actually using two entrances from the lift lobby. However, it was the cleaners in the reception area who provided me access.
I couldn’t help but smile to myself when I walked past the three empty reception desks, proving ineffective before 8am.
Later on, during the debriefing with my colleague, I highlighted the additional door access on the target floor. By standing in just the right location on the stairwell, it was possible to remain unseen but at the same time observe staff leaving the lift lobby and ultimately tailgate through the door. We again attempted to gain access to the building, finding success for a second time.
On this occasion, it was my colleague who entered and he took so long inside that I feared he’d been caught. When he finally reappeared at our rendezvous point I asked what had happened. He said he’d found the environment so relaxed inside he decided to make use of their tea-making facilities.
Between us we had deployed network devices, photographed large amounts of unsecured confidential data and had open access to some of their computers.
Needless to say, the customer’s confidence was short lived.
19© NCC Group 2017
The confident customer
“During these assessments, my motto is to always take the stairs; being stuck in a lift with an employee is a potentially damaging situation.”
Overt to be covert
9
The target organisation was quite small with no more than 40 employees situated across several office suites on a shared floor. The building itself was also shared occupancy, with the obligatory security guard manning the reception desk on the ground floor.
It soon became apparent that none of the organisations in this building used staff passes, which meant staff were unable to verify their identify with the security guard on entry. Brilliant.
I promptly walked into the building to test this theory and up the four flights of stairs; the security guard didn’t seem to pay much interest.
Conducting further reconnaissance inside the target premises is often referred to as advanced target reconnaissance, or ATR for short. This ATR was able to show that the target’s own floor had a reception desk - although it wasn’t manned before 9am - and that a corridor wrapped around the centre of the building with various offices branching off it. Our target occupied three of them.
Even though our main objective was only to ascertain if entry could be gained to individual offices, my colleague and I knew this was going to be a tough target to crack. Being small, it’s not possible to act as a fellow employee. Tailgating would also inevitably fail.
There just didn’t appear to be a way in without being noticed.
Using the pretext of job seeking, it was possible to question the security guards of additional buildings in the compound and gather information about the maintenance company in use across the whole site. With that information, we developed intelligence for use in a social engineering attack against our target.
Dressed smartly wearing and fake ID cards in the name of the maintenance company - as well as holding a clipboard with fake documentation - we headed straight to the fourth floor.
We explained to staff who we were, creating the fake job of needing to investigate a two-inch crack in one of the windows. They were more than happy to let us in.
For some strange reason, our fake paperwork didn’t state exactly which window was broken. So, being the thorough and methodical maintenance employees that we were, we painstakingly assessed each window pane.
Roaming freely in and out of their offices and around desks, we periodically made notes on the clipboard.
Unbeknown to the target company’s employees, we were filming the breach and noting the various items we could have stolen or compromised. Resisting the urge to walk away with laptops, we pilfered a document as a proof of concept only (this was a prior agreement with the client if we were to be successful).
Before leaving, we both noticed that one very small office remained unchecked. It was the CEO’s and he was on the phone. We mentioned this to the office manager and she kindly called us back to inspect his office when he was finished.
Shortly after, we called our contact to arrange a face-to-face debrief, show the video footage and return the documents we had taken.
21© NCC Group 2017
Overt to be covert
A very helpful security guard
10
We knew the target building had been undergoing work on one of its floors and the physical reconnaissance had identified a very vigilant building manager on the front desk. Having noted her professionalism, sneaking past was therefore not an option and I had no desire to cross her.
We noticed that there was some vacant floor space in the building, so we portrayed ourselves as company scouts looking to rent office space.
We gathered some useful information, including building brochures and business cards, but wanted to know how secure the building was after business hours.
They told us there was a security guard during the evening and that he swaps with another guard at the end of his shift. How reassuring!
Previous experience had shown us that security guards are not always as vigilant as they should be, so exploiting this guard was probably going to be our way into the building.
We decided to dress as building contractors, donning high-vis vests, hard hats and tool bags, and returned late one evening in the hope of entering under the assumption that we were completing building work.
We explained that we were due to collect some very important paperwork that was needed in order to undertake our work. Emphasising how important the paperwork was, we asked if it had been left for us to collect. Needless to say, it hadn’t.
The security guard let us inside to check if it had been left upstairs in the office. Brief observations showed us that the few staff who remained in the building were very security conscious. For example, they always closed doors behind them, meaning tailgating was not an option we could exploit.
And while this was excellent for our client, it meant that the job wouldn’t be as easy as we first anticipated.
We returned to the ground floor and told the security guard that our paperwork was still being prepared and we’d be back shortly to collect it. We also wanted to make sure that most, if not all, personnel had left for the day before our second breach attempt.
Knowing how helpful the security guard had been, and that they likely had access to the various floors in the building, we returned later that evening. Once again, no one had left our paperwork at the front desk for us to collect.
We asked the security guard if he could take us to the floor where we expected the paperwork to be.
Fortunately, the guard was able to escort us up to the target floor right next to the IT team’s desks. He informed us that he needed to sign us into the company visitor’s book but, as he left to retrieve it, he made the error of leaving us unaccompanied beside the IT desks.
In essence, the company was genuinely security aware and had some great policies in place. During the face-to-face debriefing with the client, he was frustrated that we’d breached the site. However, he was grateful we had found a weak link and could provide advice on how to fix it.
23© NCC Group 2017
A very helpful security guard
“Previous experience has shown us that security guards are not always as vigilant as they should be...”
24© NCC Group 2017
NCCG/SC/BTWSV2/10/17
Could you be doing more to protect your organisation?
Our Full Spectrum Attack Simulation assessments are specifically designed to help you identify the points of weakness that put your business and your people at most risk of attack.
• Black Team assessment: Aims to identify weaknesses in physical controls and staff awareness that facilitates physical access to your premises.
• Red Team assessment: Assesses your cyber preventative controls, staff security awareness and challenges your Blue Team’s detection and response processes.
• Purple Team assessment: Combining Red and Blue Team activity, a Purple Team assessment sees attack and response experts embedded without your internal security operations during a Red Team engagement.
• Gold Team assessment: Identifies improvements in your internal and external communications, crisis management procedures and decision making.
For more information about how your organisation could benefit from our expert capability to deliver simulated attacks, visit the link below.
nccgroup.trust/full-spectrum
