When we think about hacking and security, we often imagine the basement lair of a programmer, surrounded by computers, searching for a way to access a company’s servers to steal data. That’s the romantic image made popular by movies and television shows. I believe we should strive for the simplest solution to any complicated problem. For me, when a security expert is assessing the security of a business site, the best place to start is with the front door.

An intruder’s likely first strategy is to test the physical security at the front door. Is the door locked? Can people walk in when they have no right to be there? Unauthorised intruders don’t have to be sinister spies or master thieves. They may just be exploring or stealing office equipment.

Think about the mindset of the people that work there. What are their morning routines? Do they all line up and show their I.D? Is there a security guard? We all remember waking and travelling to work, but we don’t remember every bit of the journey. We’re lost in our own thoughts and oblivious to our environment. We just want to get on with our day. Work is a routine. Routines can be mindless. This mindlessness is what helps an intruder gain entry to an area when they don’t have permission to be there.

When we pen (penetration) test the physical security of a location, we begin by wearing clothes similar to those worn at our target building, usually smart casual with the omnipresent lanyard I.D. We join the mass of workers politely forming a queue to enter and closely follow behind them as they pass through the security gate. This is called “tailgating”, defined as the act of following someone without permission into a restricted area. If we can get through the gate without being stopped or challenged, that’s a good start to our physical pen test.

A physical barrier can create a mental barrier between the outside world and the workplace. Staff feel secure and leave property and information around for us to pick up once we’re in. We gather souvenirs and photos as proof of entry. If staff are around they may make a mental assumption about whether we belong in the building. If I look like a cleaner, client or new co-worker they won’t bother me. Perhaps it’s too much effort to find out.

Gaining access to a building is not the only kind of objective that works with tailgating. Within the building there can be more restricted areas. You may find an electronic door opened with a card or locked by a key. Many of these doors have a slow closing mechanism to prevent the door slamming, and thus we can follow a legitimate passerby to a restricted area. This can also work in an elevator if you board at the same time as someone else. Don’t be afraid to carry heavy objects and ask someone to hold the door. The locked door tailgating ruse is a staple on many crime shows. The character waits outside an apartment building for a tenant to open the gate so they can get inside. I have seen footage of people doing this to enter a garage when the homeowner is leaving in their car. They wait near the automated garage door, and when the car is out of sight they roll under the door or block it from shutting with an object. Many assume a garage door is enough to protect the house and thus fail to lock the door inside. It’s convenient for the homeowner and even more so for a burglar.

To make our pen test easier, we spend time researching the people who work in the building. Linkedin and official company websites can help you with this. Send every contact an email or phone them about an unimportant topic, such as a price quote for services. Look for people who are out of town. If you find someone who is away on holiday you can use them as a reference. Now you have an introduction or excuse. “Hello, I’m looking for Terence on the fourth floor, we have a meeting in an hour”. If Terrence is not there, he can’t tell your interrogator that he’s never heard of you. Just having a plausible reason, such as a meeting, or to visit a co-worker can be enough to get someone to leave you alone. Being caught in the wrong place with no I.D and no valid reason to be there does not mean you’ll be ejected by security. Sometimes a suspicious person will tell you to talk to the front desk and sort out your access permissions. Don’t give up just because someone has started asking you pointed questions about your credentials.

One of our goals at HERT is to show the client that a technical solution is not enough to prevent unauthorised access to your place of business. Anyone can pass a series of technological barriers without the correct I.D. The best way to prevent a breach is to teach your staff a security mindset.