Preventative security controls are those that act as a deterrent rather than a physical barrier. The weakness here is that if an intruder is not deterred, preventative controls provide little or no security. The mainstay of deterrence in a corporate facility is exactly the same as that you will see on the streets: a uniformed presence and cameras. The shortfalls of these security controls are the subject of this section.
Working Around Guards
You would think that the presence of guards would only add to overall security, but you’d be wrong. Guards introduce an element to access
44 EXECUTING TESTS
control that you can exploit in a way that you can’t exploit electronic countermeasures. Guards work long hours for low pay and are used to being looked down on. Usually they have a pretty easy, if uninteresting, job. A guard covering an entrance sees hundreds of people coming and going every day and his presence is preventative, meaning that he acts as deterrent. However, he is little more than a glorified doorman. Guards deployed at entrances are there for several reasons:
• to examine ID badges;
• to let people in;
• to ensure that no one obviously undesirable wanders in off the street;
• to provide assistance to visitors and staff in the event of reader failures;
• to provide a sense of security for the benefit of staff;
• to deter potential intruders.
At some sites, where card readers are not used, guards are the sole point of access control for verifying badges and passes. Although this is becoming increasingly rare, it’s a point worth considering: is this something you would want to be responsible for? Passes that rely solely on visual confirmation sometimes have additional security measures attached – for example, a holographic sticker – but for all except the most secure sites, you can bet that visitors’ passes won’t have that.
Guards can be tremendously helpful to the tester. They’re familiar with the layout of the building and are usually forthcoming with directions and other help. As you’ll see in Chapter 4, people respond positively when approached in ways appropriate to their individual mindset. Guards, like most people, want to feel important and when treated as such by professionals in suits, they tend to become extremely accommodating.
Guards are also trained and expected to be polite and helpful to guests.
There are stories about security guards helping thieves load loot into vans.
I don’t know if they’re true but it wouldn’t surprise me.
A particularly audacious colleague of mine once entered a target site dressed as a security guard. Having researched which third-party firm was used, he acquired an appropriate uniform and then relieved the on-duty guard and sent him home. This is a very stylish but very risky approach.
Dealing with Cameras
Cameras are often treated as a security panacea, but really most of the time they are just a deterrent. There are exceptions to this, of course. A camera may be used to identify someone at the security perimeter or may be fixed in place monitoring a turnstile. However, once within a target
MECHANISMS OF PHYSICAL SECURITY 45
site, particularly large sites, most cameras are not monitored. They simply record. It is not viable to analyze dozens of different feeds – it would need a large staff dedicated to performing ongoing surveillance. Even if you have the staff, try looking at camera feeds for four hours straight and you’ll see what I mean; a few minutes of inattention is sufficient to permit a security breach. Of course, an attacker doesn’t knowwhichfew minutes and therein lies the deterrent, but remember the feeds are unlikely to be monitored in any meaningful manner anyway.
Security cameras are fine for the purposes of evidence but they are woefully inadequate for preventative security. However, let’s assume that a site has 50 or so cameras and that these are monitored 24/7 by dedicated staff on a bank of monitors that switch between cameras every few seconds. This is certainly more secure than record-only feeds, but the problems occur when you analyze how camera monitoring staff are trained.
Typically, complete training in closed-circuit television (CCTV monitoring takes at most one week and covers the following areas:
• responsibilities of the CCTV operator;
• codes of practice;
• technical operation of CCTV equipment;
• control room communications and security;
• legislation;
• dealing with incidents;
• CCTV surveillance techniques;
• health and safety;
• ongoing development of operator skills.
Most of these courses do not exist to teach surveillance techniques as the primary focus of training because most sites know that CCTV monitoring is at best a deterrent. Camera operators spend most of their time learning about health and safety and the law. This way, the organization has per-formed due diligence and is legally covered in the event that monitoring staff exceed the scope of their work. In fact, while a camera operator is trained to look for behavior that could be construed as suspicious, a lot of emphasis is placed on behaviors to avoid, such as biased viewing based on race or gender.
So what is suspicious behavior? Badges often have different colors (or very clear letters or numbers) to indicate different levels of access or staff security status. One of the reasons for this is that the quality of CCTV cameras feeds tends not to be very high and monitoring staff sometimes needs to pick details off badges. So, the wrong color or letter in the wrong
46 EXECUTING TESTS
area is suspicious, as is someone wearing an escorted badge without an escort. In general, the list is very short:
• An individual looks ‘out of place’, for example by wearing the wrong clothing or hairstyle.
• An individual seems to lack purpose, looks lost or is wandering.
• An individual lacks or has an incorrect badge.
• An individual remains in one place for too long or seems to be
‘lurking’.
• An individual exhibits generally suspicious behavior, noted by moni-toring staff or reported to them. This is where things get a little clouded.
Some behavior is obviously suspicious – getting caught picking a lock for example (unless perhaps you’re posing as a locksmith). Generally, though, this is more of a gut instinct that monitoring staff are expected to pick up.
Assuming that you have breached border security, you should observe these rules:
• Dress appropriately for your role.
• Be in possession of well-forged passes if possible.
• Look like you belong.
• Don’t wander around. If you’re lost consider asking someone for help.
If you need a break or to compose yourself, go to the bathrooms.
• Don’t get caught doing something stupid.
• Take as much time as you need to do the job correctly. Rushing will get you caught.