The legend of Tom, Dick or Harriet: a tale of physical security and social engineering

The following is based on real events; names and other details have been changed to maintain confidentiality and protect the innocent.

When anyone mentions cyber security and information security , many of us immediately think of the internet and criminals hacking our networks. We're right to think like this, but we're forgetting something equally as important: physical security, which is just as likely to come under attack. This is where our tricky trio above come in. They're all experienced consultants and regularly test the physical security of clients, while others investigate logical security.

By the time you meet them, they've already done a lot of work: online reconnaissance using the client's website, LinkedIn (and other social media), public company information and a general internet trawl to garner details of directors, staff, offices - including managed buildings, departmental structure, leadership team, current and past projects, clients, supply chain, investors, annual reports, general news and potentially much more. A thorough trawl indeed.

Next step: they'll visit your offices and, without stepping foot inside, check out barriers, receptionists, use of proximity cards, ID badges, specific lanyard colours and designs, public areas, shared office space, all the entrances to the building and who they're used by, contractor access, car parks, where staff go for coffee and lunch, busy and quiet times, windows which give internal views, even down to how you call the lifts and how many staff head to each floor. A long list of things that is certainly not exhaustive. They'll easily be able to identify areas of poor security and the rate at which controls are bypassed, such as tailgating or opening doors for others and not checking identification.

Meet the consultants Let's introduce you to Tom. Tom is a very nice guy, young, keen, always smiling. Tom's target? A small, merchant bank in the city. When he arrives, he's got company ID that looks legitimate, knows where he's going, and looks confident. With his phone to his ear and clutching two laptop bags, he arrives with a group of others and silently indicates his hands are full and if you don't mind opening the door for him ? Tom stands by the lifts still talking on the phone, watching as someone waves their proximity card in front of the screen to call the lift and presses the button for the fifth floor - Tom's destination. He jumps into the lift, still on the phone, and mouths thanks'. Tom knows the fifth floor is where the finance department is (from the reconnaissance phase, remember?), he exits the lift and walks in the opposite direction to the other person. Rounding a corner, he spots a half-empty hot-desking area. Ending his fictitious phone call, he quickly gets a laptop out of one of his bags and sets up. Someone wanders up behind him and says hello. Tom isn't fazed. He turns around, says hi and introduces himself, explaining that he's working on the company's latest marketing campaign and is usually based in the Edinburgh office. They chat some more. His audience is instantly at ease, they're in finance so know nothing about marketing but it's obvious that Tom is genuine, he knows all about the way the bank operates. Tom asks where the finance director's office is as he needs to speak to him later. The office is pointed out to him, and the employee is thanked for their help. After a few minutes, Tom leaves his laptop and goes to the bathroom where he hides until lunch. When he re-emerges, the office is quiet, he picks up his laptop - it was never switched on and contains no data anyway - and walks to the office of the FD. Nobody is around, but the FD's laptop is on the desk. Quickly but confidently Tom picks up the laptop, disconnects the cables, and puts it in his second bag. Ostensibly making arrangements for lunch on his phone he leaves, using the same techniques to get out as he did to get in.

Consultant number two Dick's target is a utility company site. He arrives wearing a hard hat and high vis jacket over a suit, he looks the part and most certainly like he's supposed to be there. If anyone asks, he's here to do an inspection and is usually based at head office, so unfamiliarity with the site is expected. He uses the car park exit, which he knows is not observed, to enter the site. Dick reaches the unmanned reception area but now needs to get through the locked door. Luckily, he spots a worker outside and introduces himself, spinning his prepared story and needs to be let through. He apologises for not having his official photo ID but does have a business card - with the company logo and address - which he presents. They share a laugh when Dick suggests his identity can be confirmed by calling the mobile number on the card and checking if his phone rings. This worker is impressed by Dick's friendliness and air of authority and is only too pleased to let Dick through the door! Once inside, Dick can wander through most of the building, being careful to keep away from areas where senior staff and managers are so he's not questioned. He takes photos of any documentation, internal information and security controls he finds. He also unplugs a USB memory stick from a workstation before exiting the building using another door which opens from the inside and is soon off the site.

and consultant number three Harriet's target is a technology start-up. They're based in a shared office which has very lax security: no IDs are worn, the reception is unmanned, the secure doors are propped open, and everyone inside is so used to strangers passing through they have no problem with opening doors for Harriet - how useful. She's young, vibrant and has a cheery thank-you for everyone as she qu

LINK:	https://www.resillion.com/the-legend-of-tom-dick-or-harriet-a-tale-of-...
	See more stories from eurofins

More from Eurofins