Social Engineering focussed on access control

From a security perspective company buildings and offices basically provide a physical layer of protection. The sometimes very complex security measures against unauthorized access can be tested through specific attacks. Human factors thereby play a key part.

The respective Social Engineering Assessment includes the following components:
  • Vulnerability analysis through observation of the building (access possibilities, security measures, volume of people entering/exiting, relevant procedures / processes / deficiencies)
  • Optional/project-specific: creation of a qualified ficticious person (e.g. through false company ID cards, physical disguise, appointment setting with a false identity)
  • Unauthorized entry into buildings, e.g. by providing false identities, false facts or by tailgating (following authorized employees) - the objectives to be achieved in the building are to be defined project-specifically, e.g. advancing to a particular room, removing specific documents, accessing the computer network, placing a "network bug"
  • Marking accessed rooms as proof (optional: documentation of the procedure with hidden cameras)

The attack-based assessment may be complemented by a dedicated maturity analysis which is based on questionnaires and site visits.

The following subsections are thereby assessed:
  • Entry protection
  • Access protection
  • Monitoring and control
  • Alerting
  • Other organizational measures
The assessment may be enhanced by a technical analysis of the building management and access control system. It includes the following aspects:
  • Examination of the system architecture of the central building management with regard to its integration into the computer network and evaluation of the risks derived
  • Penetration test of the building management system from a local network perspective
  • Investigation regarding possibilities for manipulation (known vulnerabilities) for all deployed access control systems (possibly attack attempts on the system)

All of the described assessment types can be combined with each other.