The legend of Tom, Dick or Harriet: a tale of physical security and social engineering

The following is based on real events; names and other details have been changed to maintain confidentiality and protect the innocent.

When anyone mentions “cyber security” and “information security”, many of us immediately think of the internet and criminals hacking our networks. We’re right to think like this, but we’re forgetting something equally as important: physical security, which is just as likely to come under attack. This is where our tricky trio above come in. They’re all experienced consultants and regularly test the physical security of clients, while others investigate logical security.

By the time you meet them, they’ve already done a lot of work: online reconnaissance using the client’s website, LinkedIn (and other social media), public company information and a general internet trawl to garner details of directors, staff, offices – including managed buildings, departmental structure, leadership team, current and past projects, clients, supply chain, investors, annual reports, general news and potentially much more. A thorough trawl indeed.

Next step: they’ll visit your offices and, without stepping foot inside, check out barriers, receptionists, use of proximity cards, ID badges, specific lanyard colours and designs, public areas, shared office space, all the entrances to the building and who they’re used by, contractor access, car parks, where staff go for coffee and lunch, busy and quiet times, windows which give internal views, even down to how you call the lifts and how many staff head to each floor. A long list of things that is certainly not exhaustive. They’ll easily be able to identify areas of poor security and the rate at which controls are bypassed, such as tailgating or opening doors for others and not checking identification.

Meet the consultants

Let’s introduce you to Tom. Tom is a very nice guy, young, keen, always smiling. Tom’s target? A small, merchant bank in the city. When he arrives, he’s got company ID that looks legitimate, knows where he’s going, and looks confident. With his phone to his ear and clutching two laptop bags, he arrives with a group of others and silently indicates his hands are full and if you don’t mind opening the door for him…? Tom stands by the lifts still talking on the phone, watching as someone waves their proximity card in front of the screen to call the lift and presses the button for the fifth floor – Tom’s destination. He jumps into the lift, still on the phone, and mouths ‘thanks’. Tom knows the fifth floor is where the finance department is (from the reconnaissance phase, remember?), he exits the lift and walks in the opposite direction to the other person. Rounding a corner, he spots a half-empty hot-desking area. Ending his fictitious phone call, he quickly gets a laptop out of one of his bags and sets up. Someone wanders up behind him and says hello. Tom isn’t fazed. He turns around, says hi and introduces himself, explaining that he’s working on the company’s latest marketing campaign and is usually based in the Edinburgh office. They chat some more. His audience is instantly at ease, they’re in finance so know nothing about marketing but it’s obvious that Tom is genuine, he knows all about the way the bank operates. Tom asks where the finance director’s office is as he needs to speak to him later. The office is pointed out to him, and the employee is thanked for their help. After a few minutes, Tom leaves his laptop and goes to the bathroom where he hides until lunch. When he re-emerges, the office is quiet, he picks up his laptop – it was never switched on and contains no data anyway – and walks to the office of the FD. Nobody is around, but the FD’s laptop is on the desk. Quickly but confidently Tom picks up the laptop, disconnects the cables, and puts it in his second bag. Ostensibly making arrangements for lunch on his phone he leaves, using the same techniques to get out as he did to get in.

Consultant number two…

Dick’s target is a utility company site. He arrives wearing a hard hat and high vis jacket over a suit, he looks the part and most certainly like he’s supposed to be there. If anyone asks, he’s here to do an inspection and is usually based at head office, so unfamiliarity with the site is expected. He uses the car park exit, which he knows is not observed, to enter the site. Dick reaches the unmanned reception area but now needs to get through the locked door. Luckily, he spots a worker outside and introduces himself, spinning his prepared story and needs to be let through. He apologises for not having his official photo ID but does have a business card – with the company logo and address – which he presents. They share a laugh when Dick suggests his identity can be confirmed by calling the mobile number on the card and checking if his phone rings. This worker is impressed by Dick’s friendliness and air of authority and is only too pleased to let Dick through the door! Once inside, Dick can wander through most of the building, being careful to keep away from areas where senior staff and managers are so he’s not questioned. He takes photos of any documentation, internal information and security controls he finds. He also unplugs a USB memory stick from a workstation before exiting the building using another door which opens from the inside and is soon off the site.

…and consultant number three

Harriet’s target is a technology start-up. They’re based in a shared office which has very lax security: no IDs are worn, the reception is unmanned, the secure doors are propped open, and everyone inside is so used to strangers passing through they have no problem with opening doors for Harriet – how useful. She’s young, vibrant and has a cheery thank-you for everyone as she quickly makes her way to her target’s office space. The door is fitted with access control, but it’s turned off, the layout is open plan. Harriet carries her laptop and makes her way past the desks, smiling and acting as if she has every right to be there. No one questions her; the company culture is one of openness and collaboration. Looking as if she’s typing something on her phone, she’s able to take photos of the whiteboards sporting architecture diagrams, sales plans, customer engagement information and even system usernames and passwords! She slowly wanders back towards the door, still on her phone, slips out and is away before most even notice she’s there.

What now?

Tom, Dick and Harriet have easily been able to breach the security of all three locations. If these were real attacks, the bank would be in the middle of a major security incident and would have to report the breach to the regulator, not knowing whether they’ll get a ransom request or if their information is for sale on the dark web, potentially appearing in tomorrow’s headlines. The utility company, realising the stolen USB had detailed information about their compliance, or rather lack of, with the NIS regulations, are panicking as they don’t know if they’ve been targeted by a random theft, a competitor or an unfriendly foreign government about to launch an attack against national infrastructure. The tech start-up doesn’t notice anything untoward for a little while until rumours start to circulate about insecure code and malware-infected apps and they suddenly find it impossible to get new investors.

Luckily for all three companies, Tom, Dick and Harriet are not criminals and have been engaged specifically to test physical security. Any assets are returned immediately and any information gained remains confidential. Tom, Dick and Harriet will call their clients as soon as they’re off the site to give them immediate feedback, pointing out major risks and quick fixes. In a few days, they will provide reports on what they did and what they found, with recommendations on how to close the security loopholes. Our tricky trio are not your ordinary Tom, Dick and Harriet; they’re helping you to improve security by identifying and testing vulnerabilities you didn’t even know you had.