A multinational Fortune 500 company was about to undergo a full-scope audit. But the CIO wanted to find out in advance what problems might be discovered during the formal audit and be able to respond immediately with a remediation plan.

The company, which employs more than 10,000 people, is responsible for critical elements of physical infrastructures around the world and is regularly targeted by a wide variety of organizations, including terrorists and foreign governments. The CIO believed the company had some problems with physical security and end-user systems but thought he had the servers and network locked down.

To get a true picture of the organization's overall security, the CIO hired my team to do a preassessment without informing the vast majority of its employees. Although an espionage simulation ideally is carried out without warning, the intended victim usually has some advance notice. In this case, the CIO, for political reasons, had to let several people know the test would be performed. To make my job more of a challenge, the director of the NOC (network operations center) vowed my team wouldn't succeed in breaking into his systems or facilities.

Most of the company's assessment funds had been allocated to the formal audit, so the preassessment budget was tight. The CIO had seen a presentation on espionage simulations my team and I had conducted previously, and he knew we provided an accurate picture of an organization's security posture, showing a cross-section of vulnerabilities likely to be exploited by malicious parties. We also had an advantage in that I'd been at the facility before for an unrelated reason so I knew the general makeup of the main facility and some of its physical weaknesses, which would save us a day or so of reconnaissance.

Lessons Learned Click to enlarge in another window

Open-Source Intelligence

We typically begin an espionage simulation by gathering intelligence on the company's physical, technical or operational infrastructures, and on its personnel. An actual espionage effort would include a large reconnaissance effort, including LEXIS/NEXUS searches and other for-fee database searches, but this company's cost constraints limited our effort to Google and other free searches.

Our search revealed a wide variety of information about the contracts the company was pursuing, as well as details on its corporate facilities. Most troubling, we found maps of some facilities in high-risk areas, which could help malicious parties target the company and its people. We also found a corporate phone directory intended for internal use only. This directory detailed all the company's facilities and listed the names of all employees, their titles and their offices. This would have immense value for our future social engineering attacks.

We uncovered information about the company's generic technical architecture by looking at trade Web sites and postings to newsgroups by the company's IT staff. We knew the company had a Windows infrastructure with Sun computers handling most of the server duties. Knowing the hardware and software let us predict technical vulnerabilities and helped us prepare to target the company's systems, both internally and externally.

We also found a variety of corporate domains to target. Later we learned that the people responsible for managing the company's Internet presence didn't know about some of these domains, which provided back doors into the organization. Along the same lines, our search turned up more than 100 Web servers, though the IT staff had figured there were fewer than a dozen. We learned of the discrepancy when we informed someone from the CIO's staff of our findings at a breakfast meeting our first day on-site.

As happens in about half our reconnaissance efforts, we found evidence of illicit employee activities. One employee, for example, was using his company e-mail account to sell information on how to perform criminal activities.

After a day and a half of this preliminary investigation, we ventured on-site.