"So I hung out in the smoker area on a Wednesday...I don't know if it's Holland in general or just the company, but they give them that day off to be home with their families," says Milam. "So I befriended a lady and told her, 'Yeah, my boss had to go home on an emergency flight. I don't know who he was working with, but this guy isn't here today either.'"
The woman replied that it was no problem and proceeded to vouch for Milam to security, who did not even look him up before giving him a visitor badge and passing him through the man trap.
It hasn't always been quite so easy for Milam and his team, however. He recalls another time in Spain when he was pen testing the same oil refinery company and, after some preliminary recon, ran into some trouble. Ultimately, however, the culture's gender dynamics ended up working in his favor -- and thus to the detriment of the company's security.
After doing recon on what the company's badges looked like and creating legitimate-looking facsimiles, Milam acquired a credit card-sized board built by Hardkernel (equipped with Kali Linux) and set it to call back to a command and control server through a secure channel. The only problem was, he needed an open conference room where he could plug it in.
"So we pegged the chief legal officer, found his signature, wrote up our own letter about, 'Help these guys any way you can. This is a snap audit, nobody was told,' and put his signature on there," says Milam. "Everything looked legit."
Armed with the letter, Milam proceeded to ask the woman at the front desk of the building for access to a conference room.
"The thing is, middle aged women feel more empowered to pull you aside and ask you what you're doing there," he says. "She did a good job grilling me for about 10 minutes, I got it all on video. I handed her the letter and you could tell on her face that she wasn't buying it really."
But as Milam continued to press, the woman eventually agreed to take the issue to the head of the plant, at which point the company's security began to unravel.
"She hands him the letter and he very quickly shut her down," says Milam. "He said, 'I don't care what you're saying, this person needs access.'" So Milam was promptly given access to a conference room, where he plugged in the board and opened a reverse shell for the command and control server.
After the fact, Milam suspected that cultural aspects had played into the situation at hand.
Sign up for CIO Asia eNewsletters.