Who is responsible for the breach?

I am going to take you on a journey through one of the physical security testing engagements I conducted at a previous employer. Over the years, I have told the story repeatedly and to this day, opinion on who is “responsible” is often divided and I will share those thoughts at the end, but I want you to keep in mind that question…

“Who is responsible for the breach?”

My story begins on a warm sunny June day, a client (a well-known global bank) requested a physical security test to ensure that their main headquarters were “impenetrable”. Not my first choice of words but those of the client, so much so that they emphasized that they only employed ex-military personnel and it would take an army to get past them.

We met the client at our office and walked them through a presentation of what we offer and some of the exercises we have conducted in the past with other clients. After the Q&A session, they quickly jumped in without hesitation on the area they wanted me to focus on. They felt that as their front of house team was the weak link within their business, it had very recently changed (it was previously outsourced but had now been brought in-house) and this new team needed to be tested. The scope of the exercise was simple, get past the reception/security team and gain access to a secure room within the building.

Contracts are signed and we have been activated!

I begin doing my reconnaissance on the business, the aim is to gather as much information as I can on the organization from their website and online. I utilized platforms like LinkedIn and Facebook (because people love giving away information) and by this point I had already found my target but I knew that I had to proceed with a degree of uncertainty / unknown, meaning that I need to have at least 3 or 4 additional targets. I was able to quickly identify who oversaw IT Operations.

Having previously set up dummy domains and email addresses, I spend the next few days emailing different people within the IT department, trying to map out the hierarchy of who manages, runs or works with information and services and particularly who was responsible for the networks. ultimately, I was looking for an “out of office” reply or a reply from someone who has their annual leave dates in their signature. The advantage of conducting this type of reconnaissance is that you find out not only the hierarchy within the organization and department (remember not everyone updates LinkedIn daily, therefore changes are inevitable) but also who will be in the office and who will not, therefore reducing the likelihood of your test being unsuccessful. The last thing any tester wants is the person who can catch them out being in the office or knowing they are in the office. Another reason this type of reconnaissance is valuable is for when you go in person, you can ask for specific personnel giving the impression that there is an existing relationship, and this builds trust. Ultimately that is all I am trying to do… gain their trust.

This part of the project took a little longer than I anticipated but I learnt some vital information – the IT department had not replaced the network manager since their departure 6 weeks earlier.

The easy part was over!

I had to now go on to physical reconnaissance, which is where things can unravel quite quickly, as I had to go near the client’s headquarters (multiple times) and ensure that I do this without drawing the attention of security. I felt like I was the junior version of James Bond with no high-tech gadgets.

I know from experience that there are two particular times of the day where you can have greater success than other times (lunchtime and home-time, after all no-one wants to hang around a minute longer than they must!) but with this client I knew that there had to be other windows for me to exploit.

The first day, I go in the morning when everyone is coming into the office and I casually watch the interactions and see that there is a high volume of security personnel at the front desk and in the lobby area. I wait until the morning rush is over to see if there is another opportunity (mid-morning coffee break / guard rotation) but no such luck. I quickly abandon reconnaissance activities, but I needed to be sure that this wasn’t a Monday morning thing, so I go back the next morning at the same time and again observe how the team operates. Again, far too many security personnel in the lobby, I knew that first thing in the morning was not an option.

On the fourth day, (I missed day three to avoid being seen repeatedly outside the building), I chose to go at lunchtime and made sure that I went and grabbed some food (why you ask? The client has a central courtyard, which looks directly into the building no matter where you sit), and therefore the sandwich helped me maintain my cover of being a someone just having lunch and enjoying the warm weather. I let my eyes wonder all over, paying attention to things like cameras, reception staff, security staff (inside and outside) and the way visitors are allowed into the building. Is there a midday shift change? Do more personnel come out to help? How busy is the lobby etc. I learned a lot from simply observing, but again, I needed to be sure that what I saw was an everyday pattern… I went back the next day at the same time, but this time I asked my partner to meet me there (she wasn’t aware of what I was up to otherwise I am sure it would not have ended well for me!). This time I observed the same behaviors as the day before – at 12pm, three of the security guards in the lobby disappear (for lunch I assume) and then two guards are left on duty to cover the entire lobby; similarly on the reception desk, one of the two receptionists leaves the desk, leaving the other to look after things for a whole hour with the support of the guard when it gets really busy. The main observation was that no matter how busy it got, no-one else would jump in to help on the desk.

I FOUND MY WAY IN!

But being super paranoid, I knew I had to prove this again the following week, so Monday of week two, I show up again. I notice the same behavior all over again; three guards disappear along with one receptionist. I am reeling with joy at this point thinking, “No way – it can’t be that poorly protected at lunchtime!” But it was!

The next step was preparing my entry into the building and gaining access to any secure area possible, but for this client I knew that their most secure room was their core communications room (as an existing client, we had insight into their environment) and having worked as a network engineer in a previous life, I knew it would be easier for me to impersonate someone who could stand up to scrutiny should I get stopped or questioned (no point in saying I am there to fix the air conditioning when I don’t know a single thing about it).

Back at the office, I prepared an empty network switch box and placed an old faulty laptop inside it with all the foam padding to protect it (got to make it look real) and found an invoice image off Google which I doctored to reflect what I was “going in to do”. Finally, I had to find an ID card with the vendors logo on it and then replace the image with my own and print it on to a plastic card. One of the advantages of working in the cyber space is attending conferences and events, where there are lots of goodies to collect – from the free USB sticks (never ever pick one up) to t-shirts and then suppliers sending follow up swag. There were always a lot of t-shirts included. Over the years, I have built-up quite a collection of t-shirts from different vendors and a lot of them are professional looking polo shirts with the company logo… what more could I ask for, and why is this so important you may ask…

Now to prepare the next stage… Execution.

I prepare to execute the plan and after having picked up all my bits, I start to make my way over to the client’s offices. I am in the zone, I am committed, I am prepared and just my luck, the fire drill triggers minutes before I was going to walk into the lobby. The whole building takes about 20 minutes to evacuate and once the all clear was given, the front barriers were left open for people to return to their desks and no-one was being stopped or having their ID cards scanned… could I really believe my luck, I am imaging this… but this was what I was seeing right in front of me!

I was considering this to be a high-risk entry and I was almost ready to walk away but I bite the bullet and proceed to follow the mass of personnel on their way back into the building. I had my network switch box in one hand, invoice attached to the box, laptop bag on my shoulder and finally my ID card right next to the vendor polo shirt with their logo proudly on display! As I enter the front doors, nerves start getting to me but I take a deep breath and approach the extremely busy reception staff and start by saying hello and I proceed to introduce myself as a network engineer from vendor X to replace a switch in their core communications room and if they could call their network manager. As she starts to call for the network manager, I make small talk (asking how their day is going, how they are), I want to build a rapport with the individual and psychologically put myself in a place of trust in their mind. Someone answers the call and passes on the same information I already knew. She hangs up the phone and turns to me and says, “I am sorry, but the network manager is no longer with the business, is there someone else I can call?” I replied that I was not provided with alternative information but let me call my office and find out if there was a second named person. I step away from the desk to “make a call” and after 2 minutes, I “pretend” to hang up and say that this was the only information provided and that this job had been scheduled months ago. I could tell she was unsure of what to do so I took advantage of the situation and said if she was happy to sign the slip stating she couldn’t let me in then I would leave and be able to get home early today but I emphasized that I was on a 4-hour clock and that 2 hours had already passed in getting to the office. I used the age-old tactic of pushing responsibility for not letting me pass onto the receptionist (no-one wants to be a blocker, so a little gentle pressure works a treat).

Now I would expect you as the reader to pick up on a potential error I made in that last statement to the receptionist, I initially told the receptionist that the job was scheduled in months ago and now I am saying that I am on a 4-hour clock… kind of a contradiction but this goes to show that when someone is overloaded with information, they can only process a certain amount of it. I had created a dialogue to cover myself should someone pick up on this, and the line would be, “Yes the job was scheduled in months ago, and each job has an SLA and I am 2 hours into the 4-hour clock”.