You are a corporate spy trying to plant a bug in the boardroom of a multinational. You’ve researched the company online, faked a CV (along with references from accomplices), applied for a job and been asked to an interview. Now you’re past the reception desk with an ID badge, but the door to the company’s inner sanctum is locked with a card reader. How do you get in?
The answer, as practising security expert Wil Allsopp explains in his book Unauthorised Access, is to stand beside the door with a mug of coffee in each hand.
Unauthorised Access is nothing short of a manual for corporate espionage. Author Wil Allsopp, is a ‘physical penetration tester’, a hired gun brought in by companies to find out how effective the security defences protecting their premises are.
While conventional penetration testing (‘pentesting’) involves remote hacking, typically through software vulnerabilities, physical pen-testers gain access to a company’s offices or data centre with the goal of connecting to a restricted network, planting a bug or even an imitation explosive device.
And as Allsopp explains, physical and information security are no longer separate concerns.
“The problem,” he writes, “is that you can have the best firewalls and change procedures; you can have regular electronic penetration testing against networks and applications; you can audit your source code and lock down your servers. However, if an attacker can physically penetrate your premises and access information systems directly, these strategies won’t protect you.”
With ten years’ experience as a pen-tester, Allsopp offers superb insight into common methods used by criminals to manipulate employees, from phone calls to outright espionage. The chapter on social engineering, in particular, is guaranteed to spark paranoia and sleepless nights among even the most grizzled chief security officers.
Specific tactics he reveals include ‘employing politeness’, ‘inducing fear’, ‘faking supplication’, ‘invoking authority’, ‘ingratiation and deference’, and even ‘sexual manipulation’.
“Curiously, men working in the IT industry are considerably more susceptible than women to being manipulated in this way,” Allsopp notes. “It’s very difficult for many men to say no to a female requesting assistance, and you can’t just tell your male staff members not to trust women.”
Another chapter details several successful pen-tests conducted by Allsopp and his team, including attacks on a UK power plant and a supercomputing facility conducting spatial modelling of nuclear explosions for the military. He also describes the antics of a pentester who bypassed the security of a large corporate by observing the uniform of the firm’s security guard, then showing up the next day in identical costume, pulling rank and relieving the man of duty.
Penetration testing has its fair share of critics. Many CIOs consider it an expensive waste of money as it only reveals what they already know – that the company has vulnerabilities. Furthermore, it is only a snapshot in time; even Allsopp admits that it is “something that needs to be conducted on a regular basis to have any kind of long-term intrinsic value”.
Nonetheless, pen-testing can be a valuable way of driving home the value of security to senior management.
Approaching things from the criminals’ perspective is certainly instructive – some data centre managers encountered by Information Age have been known to break into their own facilities to test their security.
Allsopp’s book has much to offer IT managers who decide to take matters into their own hands. For starters, he counsels, don’t pen-test facilities patrolled by armed guards (even in a bullet-proof vest, as head shots are typically fatal), and always ensure you carry two copies of a ‘get out of jail free’ letter from senior management just in case a particularly alert security guard destroys the first one.
The enjoyment Allsopp clearly derives from his work is reflected in his book; he writes with that particular tone of repressed glee common among ‘white hat’ hackers. This, together with his tendency to adopt a ‘boy’s own adventure’ narrative style, makes the book very readable but occasionally somewhat glib. And at times it is hard to tell whether Allsopp is offering advice to the CSO, helping the reader start their own pen-testing company or trying to prove to a less salubrious readership how clever he is.
Indeed, many of the techniques described in Unauthorised Access are open to abuse. Allsopp gives the excuse that “the bad guys already know”, before urging the reader to consider taking up lock picking as a rewarding hobby.
Unauthorised Access: Physical Penetration Testing for IT Security Teams. By Wil Allsopp (foreword by Kevin Mitnick). Published by Wiley & Sons 2009, £27.99 ISBN: 9789470747612