Social Engineering: Hospital
A hospital engaged High Bit Security to perform a social engineering engagement, to determine the security of the physical facility, and the security of their IT environment. Social engineering seeks to use the naiveté, courtesy, compassion, helpfulness, greed, and/or inattentiveness of an organization's employees to compromise the security of that organization. It is also an assessment of the effectiveness of the organization security awareness training and policies.
Physical Security Assessment:
The High Bit Security (HBS) agent gained external direct access to the roof, via an unsecured ladder. Through an unsecured maintenance entrance, he gained access to the water supply, access panel to the fueling system for the generator, and heating system. At the rear of the building, through an unsecured construction area, the backup generator was easily accessible. Through the unattended shipping and receiving area, he had the ability to remove medical supplies and recently received equipment, awaiting distribution to the departments. The keys to the trash compactor were hanging in the lock of the compactor, no doubt to facilitate access for environmental services. This constituted both a security and a safety hazard. The dumpster contained information about internal equipment and also contained shipping documents containing the names of employees. The rear entrance to the administration building had double doors with a wide separation between them, allowing them to open with a coat hanger or butter knife. All of this was discovered, and documented, whithout challenge.
Data Security Assessment:
The HBS agent identified an unattended and unlocked workstation, placed in a location near the front entrance to the hospital. In several other parts of the hospital, using a ruse, the HBS agent convinced helpful hospital employees to show the HBS agent to unsecured workstations that gave the agent access to the hospital network and the physician network of the hospital. The agent also placed a benign file from a USB stick on each of the workstations, as documentation of agent access.
Attempts to gain access in the medical records department, using the same ruse, were thwarted by the clerk, who brought in a supervisor. The supervisor insisted that authorization from IT was needed. This should have ended our exercise, however the supervisor did not call the IT department to confirm our agent's legitimacy, and did not call anyone to escort the agent, or notify security that someone was attempting to gain access to medical records. Instead, the supervisor simply directed our agent to the administration building. Our agent followed the directions given by the supervisor and walked to the administration building, now armed with the added legitimacy of the name of the supervisor who had directed him.
The receptionist at the administration building pointed the HBS agent in the direction of the IT department, allowing the agent unescorted access through their administration building, where the agent found the IT department was unoccupied and unlocked. The agent gained direct access to an unlocked workstation, again loading the benign file. Since the agent was unescorted, he continued to explore the remainder of the administration building.
High Bit Security provided complete documentation of the security lapses, with remediation recommendations, including employee security training, physical security improvements, and improvements to data security policies/procedures.