Author: Sam Haria

Date: 20th July 2020

 

I am going to take you on a journey through one of the physical security testing engagements I conducted at a previous employer. Over the years, I have told the story repeatedly and to this day, opinion on who is “responsible” is often divided and I will share those thoughts at the end, but I want you to keep in mind that question…

“Who is responsible for the breach?”

My story begins on a warm sunny June day, a client (a well-known global bank) requested a physical security test to ensure that their main headquarters were “impenetrable”. Not my first choice of words but those of the client, so much so that they emphasized that they only employed ex-military personnel and it would take an army to get past them.

We met the client at our office and walked them through a presentation of what we offer and some of the exercises we have conducted in the past with other clients. After the Q&A session, they quickly jumped in without hesitation on the area they wanted me to focus on. They felt that as their front of house team was the weak link within their business, it had very recently changed (it was previously outsourced but had now been brought in-house) and this new team needed to be tested. The scope of the exercise was simple, get past the reception/security team and gain access to a secure room within the building.

Contracts are signed and we have been activated!

I begin doing my reconnaissance on the business, the aim is to gather as much information as I can on the organization from their website and online. I utilized platforms like LinkedIn and Facebook (because people love giving away information) and by this point I had already found my target but I knew that I had to proceed with a degree of uncertainty / unknown, meaning that I need to have at least 3 or 4 additional targets. I was able to quickly identify who oversaw IT Operations.

Having previously set up dummy domains and email addresses, I spend the next few days emailing different people within the IT department, trying to map out the hierarchy of who manages, runs or works with information and services and particularly who was responsible for the networks. ultimately, I was looking for an “out of office” reply or a reply from someone who has their annual leave dates in their signature. The advantage of conducting this type of reconnaissance is that you find out not only the hierarchy within the organization and department (remember not everyone updates LinkedIn daily, therefore changes are inevitable) but also who will be in the office and who will not, therefore reducing the likelihood of your test being unsuccessful. The last thing any tester wants is the person who can catch them out being in the office or knowing they are in the office. Another reason this type of reconnaissance is valuable is for when you go in person, you can ask for specific personnel giving the impression that there is an existing relationship, and this builds trust. Ultimately that is all I am trying to do… gain their trust.

This part of the project took a little longer than I anticipated but I learnt some vital information – the IT department had not replaced the network manager since their departure 6 weeks earlier.

The easy part was over!

I had to now go on to physical reconnaissance, which is where things can unravel quite quickly, as I had to go near the client’s headquarters (multiple times) and ensure that I do this without drawing the attention of security. I felt like I was the junior version of James Bond with no high-tech gadgets.

I know from experience that there are two particular times of the day where you can have greater success than other times (lunchtime and home-time, after all no-one wants to hang around a minute longer than they must!) but with this client I knew that there had to be other windows for me to exploit.

The first day, I go in the morning when everyone is coming into the office and I casually watch the interactions and see that there is a high volume of security personnel at the front desk and in the lobby area. I wait until the morning rush is over to see if there is another opportunity (mid-morning coffee break / guard rotation) but no such luck. I quickly abandon reconnaissance activities, but I needed to be sure that this wasn’t a Monday morning thing, so I go back the next morning at the same time and again observe how the team operates. Again, far too many security personnel in the lobby, I knew that first thing in the morning was not an option.

On the fourth day, (I missed day three to avoid being seen repeatedly outside the building), I chose to go at lunchtime and made sure that I went and grabbed some food (why you ask? The client has a central courtyard, which looks directly into the building no matter where you sit), and therefore the sandwich helped me maintain my cover of being a someone just having lunch and enjoying the warm weather. I let my eyes wonder all over, paying attention to things like cameras, reception staff, security staff (inside and outside) and the way visitors are allowed into the building. Is there a midday shift change? Do more personnel come out to help? How busy is the lobby etc. I learned a lot from simply observing, but again, I needed to be sure that what I saw was an everyday pattern… I went back the next day at the same time, but this time I asked my partner to meet me there (she wasn’t aware of what I was up to otherwise I am sure it would not have ended well for me!). This time I observed the same behaviors as the day before – at 12pm, three of the security guards in the lobby disappear (for lunch I assume) and then two guards are left on duty to cover the entire lobby; similarly on the reception desk, one of the two receptionists leaves the desk, leaving the other to look after things for a whole hour with the support of the guard when it gets really busy. The main observation was that no matter how busy it got, no-one else would jump in to help on the desk.

I FOUND MY WAY IN!

But being super paranoid, I knew I had to prove this again the following week, so Monday of week two, I show up again. I notice the same behavior all over again; three guards disappear along with one receptionist. I am reeling with joy at this point thinking, “No way – it can’t be that poorly protected at lunchtime!” But it was!

The next step was preparing my entry into the building and gaining access to any secure area possible, but for this client I knew that their most secure room was their core communications room (as an existing client, we had insight into their environment) and having worked as a network engineer in a previous life, I knew it would be easier for me to impersonate someone who could stand up to scrutiny should I get stopped or questioned (no point in saying I am there to fix the air conditioning when I don’t know a single thing about it).

Back at the office, I prepared an empty network switch box and placed an old faulty laptop inside it with all the foam padding to protect it (got to make it look real) and found an invoice image off Google which I doctored to reflect what I was “going in to do”. Finally, I had to find an ID card with the vendors logo on it and then replace the image with my own and print it on to a plastic card. One of the advantages of working in the cyber space is attending conferences and events, where there are lots of goodies to collect – from the free USB sticks (never ever pick one up) to t-shirts and then suppliers sending follow up swag. There were always a lot of t-shirts included. Over the years, I have built-up quite a collection of t-shirts from different vendors and a lot of them are professional looking polo shirts with the company logo… what more could I ask for, and why is this so important you may ask…

Now to prepare the next stage… Execution.

I prepare to execute the plan and after having picked up all my bits, I start to make my way over to the client’s offices. I am in the zone, I am committed, I am prepared and just my luck, the fire drill triggers minutes before I was going to walk into the lobby. The whole building takes about 20 minutes to evacuate and once the all clear was given, the front barriers were left open for people to return to their desks and no-one was being stopped or having their ID cards scanned… could I really believe my luck, I am imaging this… but this was what I was seeing right in front of me!

I was considering this to be a high-risk entry and I was almost ready to walk away but I bite the bullet and proceed to follow the mass of personnel on their way back into the building. I had my network switch box in one hand, invoice attached to the box, laptop bag on my shoulder and finally my ID card right next to the vendor polo shirt with their logo proudly on display! As I enter the front doors, nerves start getting to me but I take a deep breath and approach the extremely busy reception staff and start by saying hello and I proceed to introduce myself as a network engineer from vendor X to replace a switch in their core communications room and if they could call their network manager. As she starts to call for the network manager, I make small talk (asking how their day is going, how they are), I want to build a rapport with the individual and psychologically put myself in a place of trust in their mind. Someone answers the call and passes on the same information I already knew. She hangs up the phone and turns to me and says, “I am sorry, but the network manager is no longer with the business, is there someone else I can call?” I replied that I was not provided with alternative information but let me call my office and find out if there was a second named person. I step away from the desk to “make a call” and after 2 minutes, I “pretend” to hang up and say that this was the only information provided and that this job had been scheduled months ago. I could tell she was unsure of what to do so I took advantage of the situation and said if she was happy to sign the slip stating she couldn’t let me in then I would leave and be able to get home early today but I emphasized that I was on a 4-hour clock and that 2 hours had already passed in getting to the office. I used the age-old tactic of pushing responsibility for not letting me pass onto the receptionist (no-one wants to be a blocker, so a little gentle pressure works a treat).

Now I would expect you as the reader to pick up on a potential error I made in that last statement to the receptionist, I initially told the receptionist that the job was scheduled in months ago and now I am saying that I am on a 4-hour clock… kind of a contradiction but this goes to show that when someone is overloaded with information, they can only process a certain amount of it. I had created a dialogue to cover myself should someone pick up on this, and the line would be, “Yes the job was scheduled in months ago, and each job has an SLA and I am 2 hours into the 4-hour clock”.

The receptionist asks me to take a seat while she assists her colleague to clear the tailback of people wanting needing assistance after the fire drill. I have no idea why but paranoia kicks in… have I been caught?! Did I not look the part? Was I not credible enough? Was she asking me to take a seat while she calls security or worse the cops! I know I need to start planning a potential exit strategy without raising suspicion (was I going to fake a call, was I simply going to run like a madman for the front door… ) however mid-way through this thought, the receptionist calls for me to come over to the desk, she asks me again what I needed to do and who I was there to see, I again explained the reason for me being there but with more technical references and terminology (to partly confuse her and secondly give the impression that I was there for a very important reason) but this time, I use body language to apply gentle pressure (actions speak louder than words), I start checking my watch and acting impatient but not rude. I ask her just to sign the slip so I can go home and let my boss know that you would not let me in.

She thinks for a second before turning to her colleague and says that she would walk me around to the communications room. I was thinking to myself that it cannot be that easy and no way has the receptionist got access to the communications room… it’s one of the most important rooms in any building. I am asked to sign-in, and I use completely different details to that on my ID card and not once was this picked up (I used the name Thomas Anderson… those who know me will understand). I pick up my box, laptop case and proceed to follow the receptionist (none of my kit is checked or scanned). We walk down a couple of long corridors which are monitored by CCTV but with hardly any personnel walking around, then we arrive at a big set of doors which have a dedicated CCTV camera pointing at them, a pin code entry system that also required an access card to be swiped before entering another corridor which led to a door at the end. We walk up to the door (ironically, there is a large sign that says “No Entry for Unauthorized Personnel” then there was another sign which stated that anyone entering the room had to be accompanied by another colleague- they referred to it as the “Buddy System”).

I got a little nervous that if the receptionist reads the signs properly, I may be refused entry and then it really is back to the drawing board, if not a partial failure of the test (after all I had made it this far). I use a couple of simple distraction tactics like asking how long they had worked for the client, what it was like to work there and to my amazement, she goes ahead and proceeds to open the door and gesture for me to enter the room. I only had to gain entry to the room (therefore I took 2 steps inside the room) and I waited to see what the receptionist would do, would she wait with me, would she call another colleague to monitor me or do the last thing I expected, her cordless handset rang and it was her colleague on the front desk, asking for support as it was getting busy in the lobby and she needed help. She turns to me and asks if I will be ok on my own as she had to go to the front desk, and she will be back shortly once things calm down. I said, “That is not a problem.” and she turn’s and begins to walk away with the door to the communications room closing. I quickly stop the door from closing (but I am still inside the room) and shout to her to come back. She looks back at me with a confused look and I ask her to call the Head of IT and let him know that I am standing inside his communications room. She is unsure what to say and do, so I asked her again to call the Head of IT and have him meet us down here. She grabs her handset and looks up the individual and calls, I couldn’t hear the conversation, but I could hear how loud it was and the angry tone relayed to the receptionist.

She is nervous and asks me what has just happened, I proceed to inform her that I am here to conduct a security test, at which point she broke down and tears were visible in her eyes, she was fearing the worst for herself and said it at least three times that she was going to lose her job. I could not disclose much to her, but I was able to reassure her that she would not be losing her job.

I was in an extremely fortunate position where I made a proposal to my boss (albeit a dangerous one) but none the less an idea, that helped sell the service and raise the eye-brows of the person signing the contract (if they read it correctly). I requested for a section to be added into all contracts, which stipulated that unless an employee conducted themselves in a way that would be determined as gross misconduct then they could not be terminated for a minimum period of 12 months without due cause otherwise I would be allowed to disclose the findings publicly.

A few moments later, the Head of IT comes down and sees me still standing in the doorway of the communications room. He looks at me in what I can only refer to as disbelief, especially after our initial meeting and being told that he had a building that was impenetrable! I leave the room and we walk back towards to the lobby (not a single word uttered) and then I inform him that I will be heading back to my office to write up the report and the test had officially ended.

I made it. I got into a secure area!

I get back to the office and arrange a sit down catch-up with my boss to discuss the day and the whole engagement, he was shocked but not surprised when he discovered that the newly hired reception team had access to all areas of the building.

I write up my report and issue to the client, followed up by a call two days later where we discussed the engagement, the report, the findings and most importantly the recommendations. But I first asked the question of the Head of IT, Head of Facilities and Building Management and the Head of HR, who they felt was responsible for the breach. I was amazed that they all pointed their finger towards the receptionist for not following procedures. I asked to look at a copy of the procedures they were referring to and the biggest shock for me was that the last time the document was reviewed was over four years ago and when reading through the document, I noted that the receptionist followed the instructions except for reading the instructions on the door of the communications room. There was nothing in the document about checking the equipment I was bringing on-site into a secure space was approved for use. I also pointed out that the business operates on the least privileged access model to ensure that information is available only to those that need it and not to all staff, however they did not take the same approach with physical access. As we discovered, the reception team could freely access any part of the building.

I asked who was responsible for updating and reviewing the document and all fingers pointed to the one person who was unaccounted for… the network manager.

I am not sure what the reason was for no-one in that room, putting their hand up and saying it was me who dropped the ball, but I am going to immediately address this failing and ensure it is not repeated.

I reiterated the clause within the contract that would not allow for the receptionist to be removed from her role, it simply stated “if an individual followed the policies and procedures of the business and they were the reason for the physical test being successful (tester achieved their goal) then responsibility for the failing falls onto the Senior Management team as they are responsible for writing policy and procedure and ensuring regular reviews take place.”

As I began the story, I said that I have told this story repeatedly to many different audiences and everyone does have a different opinion on “Who is responsible for the breach?” It is interesting that some of the senior leaders I have spoken with push it on to the receptionist while middle-management leaders seem to be undecided and overall its half pointing the finger up the ladder with others pointing down the ladder. Most importantly, anyone not in a management role almost universally points their fingers up the ladder all the way to the top.
We all rely on good security and share responsibility for ensuring security. We must grow and cultivate a culture of personal responsibility for security, this has to be based on clear rules and guidelines, whilst ensuring adequate controls are in place. Staff are trained and supported, and access authorisations are regularly reviewed as part of continual security improvements. Senior Management are unlikely to care about a receptionist (reality I’m afraid) and a scapegoat is all they will be looking for initially – only when the “weak link” has been removed will they change process and procedures.

Who do you think is responsible for the breach?

 

Other resources

Cyberfort Colocation Services

Cyberfort has invested heavily in secure infrastructure, making us the perfect colocation service provider to host your mission-critical, sensitive and regulated data.
Find out more >

What can Cyberfort do for you?

Check out our factsheets for detailed information on the matrix of cybersecurity products and services we offer to protect your business.
Find out more >

Cyberfort Deep Dives

Cyberfort’s cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >

Receive knowledge to your inbox