Travis Street, M.S. Specializing in Multifamily IT Management, Cybersecurity and Consulting
How Did I Hack 25 Properties In 4 Days? Through Social Engineering.
CTS specializes in Multifamily IT management, cybersecurity, and consulting. We provide free portfolio IT assessments at the request of property management companies interested in learning about our services. The purpose of these surveys is to provide an accurate quote for our managed IT department (MID) services and provide owners/stakeholders a complete picture of the operating condition of their existing IT infrastructure/assets at all their properties.
Recently, we engaged with a property management company that was interested in an assessment of their entire portfolio (25 properties - two states). In addition to getting an accurate count of all their IT assets, they were really concerned about the security of their properties. Normally, when we conduct an assessment, our visits are announced, and we collect detailed information from the manager or assistant manager prior to our visit. However, in this case, the VP of operations wanted me to test the cyber security awareness of the staff of each property and requested I visit the sites completely unannounced. Therefore, the scope of my survey was limited to the information the leasing agent, manager, or assistant manager was willing to provide me through social engineering.
Challenge accepted!!!
My Social Engineering Attack
For those of you unaware of the term "social engineering", it is defined as the psychological manipulation of people into performing actions or divulging confidential information. My intent during my visits was to see how much information I could obtain from each property with a smile and a little name dropping. I mapped my routes and planned my visits to each property each day and started driving. Armed with only the name of the Vice President of the management company (which anyone could obtain by visiting their company website), I arrived at each property in dress pants and a polo with no identifiable company logo. When I entered each leasing office, I was typically greeted by a leasing agent or an assistant manager, and sometimes greeted by the manager. During each visit, I stated that I was collecting technology information at the request of the VP (insert name drop) of the management company and that I needed their assistance and cooperation. I politely asked them to help me fill out a paper questionnaire that I had prepared which asked basic questions about their technology. I then politely asked them to allow me to log me into their workstations, so I could physically examine their computers and collect additional information about their network.
The Results?
I was provided access to ALL machines at ALL 25 properties by either a leasing agent or an assistant manager or manager. I only received minor push back from four properties that requested a business card from me. At no time did anyone call to verify my identity. They just assumed I was who I said I was and provided me ALL the information I requested and gave me FULL access to computers and networking equipment so I could examine their technology environment.
Lessons Learned? Social Engineering is VERY effective!
My social engineering attack was a complete success and this experience illustrates the importance of cyber-security awareness training for a property management company. Any bad actor could have easily accomplished what I did. They could have visited a property site claiming to know the Vice President and then proceed to install malicious crypto locker software on their computers - and then hold the properties for ransom! When I reported the results of my attack to the VP of the management company, they were understandably shocked and couldn't believe how easy it was for me to social engineer every one of their properties and access all their systems. They immediately required all their leasing and executive staff to take a security awareness training course, which CTS also provides at no cost with our managed IT department services.
How confident are you in YOUR leasing staff's cyber security awareness?
I had permission to perform this attack on this particular property management company and it turned out to be a great learning experience for them, but what would happen if I randomly walked onto one of your properties tomorrow, asking for the same kind of information and requesting access to your computers? Would your staff call and verify my identity? Would they comply and give me total access to their systems and your network? If you can't confidently answer these questions, then you really need to consider implementing a cyber security awareness training program for all your staff. Your leasing and executive teams are your first line of defense in the war against cyber attackers and they are the "human firewall" of your property management company. If you haven't already done so, I HIGHLY recommend you make an investment in cyber-security for your company and properties or give us a call. We include cyber security at no extra charge with our all-inclusive outsourced managed IT department service for multifamily.
Are you concerned about cyber-security threats facing your property management company? Read our in-depth blog "How To Stay Ahead Of Cybersecurity Threats in the Multifamily Industry" to learn how to stay ahead of the bad guys.
