Evidence & Reporting

08:41 - arrived on exterior perimeter, camera coverage observed on main lobby and garage gate
08:47 - identified side entrance used by smokers, no guard visibility from reception
09:04 - entered via visitor pretext, front desk issued temporary pass without verifying host using trusted number
09:07 - reached elevator bank unescorted
09:12 - arrived on third floor, no challenge from staff despite visible visitor badge
09:16 - photographed open network drop in conference room and returned to public corridor
09:21 - exited without interception

finding logic:
- initial failure: visitor verification
- secondary failure: lack of escort enforcement
- tertiary failure: challenge culture absent on secure floor
- business impact: unauthorized person reached internal workspace and network access point in under 10 minutes

Title: Visitors could access staff floors without trusted host verification or escort enforcement

Summary:
During a daytime engagement, a tester received a temporary visitor badge after providing a believable contractor pretext. Reception did not verify the host via a trusted contact path, and no escort was provided. The tester reached an internal workspace and observed live network connectivity options within 10 minutes.

Why this matters:
This converts a weak reception workflow into unauthorized physical and internal access. If combined with a rogue device or unattended workstation, the issue becomes a direct bridge into technical compromise.

Evidence:
- Timeline of route and interaction points
- Photo of visitor badge and arrival on staff floor
- Photo of exposed network drop in conference area

Recommendations:
1. Require trusted host verification before issuing access
2. Enforce escort rules for all visitor badges beyond reception
3. Add challenge training for staff floors and camera coverage on elevator exits
4. Review whether conference-room network drops should remain active without local controls