Skip to main content

The S-Unit

What Social Engineering Reveals About Your Physical Security and How to Strengthen It

De kracht van social engineering

In ‘What The Hack’, Remco, an ethical hacker at The S-Unit, demonstrates how he gained access, including to the server room, during a partially anonymous social engineering test. How was this possible, and what can you do as a security officer to strengthen your physical security?

The Preparation

Together with my colleagues, I tested the physical security and security awareness of an organization with approximately 10,000 employees. The objective: to gain as much physical access as possible, without performing any remote hacking.

Every social engineering engagement starts with observing the environment. Among other things, we mapped out:

  • doors and fencing
  • smoking areas and walking routes
  • access procedures
  • employees’ dress style
  • the appearance and logic of the environment

The Psychology Behind Social Engineering

Does this strategy sound familiar? Our approach relied on the zeven beïnvloedingsprincipes by Robert Cialdini — techniques that also make phishing and marketing so effective. In this case, authority and likeability were the keys to success.

De zeven principes:
reciprocity, commitment & consistency, social proof, authority, likeability, scarcity, and unity.

The cover-up scenario

We crafted a credible cover story: external Wi-Fi specialists hired to improve the wireless network. Since almost everyone complains about the Wi-Fi at some point, it served as the perfect smokescreen.

Sympathie as an access pass

The on-site test could begin. During our preparation, we noticed on Google Maps that it seemed possible to enter the premises by climbing over the fence, but in reality, that wasn’t an option. So we used the intercom at the gate to request access. The operator was clear and firm: no access pass, no entry. Shortly after, an employee offered to help. After we gave a brief explanation, Bas, my colleague, was allowed to drive in behind him, and I quietly followed. The employee then helped Bas through a secured door and let him continue without asking any further questions.

In another building, an open warehouse turned out to be the weak link. An unsecured door inside the warehouse gave me direct access to the building.

Collecting Findings

Once inside the building, I had free access to workstations, meeting rooms, and the cafeteria. I spotted a network port and connected my laptop to it. The port was not secured (check), which meant I immediately received an IP address from the corporate network. Shortly afterward, I noticed an employee in the cafeteria who had left his laptop, phone, and documents unattended. I struck up a casual conversation with him at the coffee machine. No one questioned who I was or what I was doing there. I documented everything with photos and videos and continued my round. What else could I find?

Access to the Clothing Room

Bas let me into another building. Our story proved convincing, employees even shared their network complaints with us. Bas then found a key safe with a note attached, including a phone number. I tried the first four digits. And… click. The safe opened. With the key, I gained access to the clothing room. We put on the company clothing and took photos and videos as evidence.

The serverroom

With a simple inquiry, an employee pointed out the server room and scanned his access badge for us — after we had first gained his trust. The first scan attempt failed. After some persistence, he scanned his badge again. This time, the door opened. He placed a chair between the door to keep it open, left us alone, and effectively gave us unrestricted access to the digital heart of the building. The server racks were not locked (despite this being a strict requirement under ISO 27001). As a result, we had access to everything. Meanwhile, we documented it all. Mission complete.

Mission complete. And now?

For five hours, we moved around without being challenged. Through careful observation, a credible cover story, and significant human errors, we gained access to buildings, workspaces, sensitive information, and even the server room, without triggering a single alarm.

How can you prevent these types of physical attacks?

  • Strengthen physical access control by implementing anti-tailgating measures and strictly enforcing access protocols.
  • Apply defense-in-depth through layered security for server rooms, archives, and devices, ensuring that unauthorized access is also restricted internally.
  • Secure network access technically to prevent misuse after physical access has been obtained.
  • Establish clear policies for unauthorized visitors and reinforce them with verification procedures and targeted awareness training on associated risks.
  • Make access procedures concrete and practical so employees clearly understand when and how they may, or may not grant access to unfamiliar individuals.

Curious which risks social engineering exposes within your organization? Discover the posibilities.