Speaking as a construction worker, you'd be quite surprised how easy it is to get into places you generally shouldn't with no one asking questions. I don't wear a company uniform and I've gotten onto the roofs of buildings I really shouldn't have, including when I've been sent to the wrong address and I talked to everyone from the property manager to the building owner and everyone helped me.
You'd also be surprised how easily security can be fobbed off by telling them something they've heard a few dozen times before.
You can go to any uniform supply store and pick up some coveralls for a fake company. You would be able to walk into any commercial building with any equipment you want, and excuse it all off with knowing who the property management company is. If anyone asks too many questions you just say "I don't know, I just go where I'm told" and if you're getting nowhere you can get out of dodge by saying "Let me just call the office, make sure they didn't give me the wrong address."
Your #4 assumes he'd be logged coming and going, which in my experience isn't true for construction workers. Also hiding inside the building isn't necessary. He knew his methodology for getting into the place, which meant accessing the roof. Security wouldn't check the roof once the electrical contact shows the door or hatch is closed.
The weakest link in security is human nature. Build me the most complicated lock in the world, and it's only valuable if people remember to lock it and you can't get them to unlock it for you.
> Speaking as a construction worker, you'd be quite surprised how easy it is to get into places you generally shouldn't with no one asking questions.
No, in general I'm not. At a place where the mere location of the main server room is confidential information, though, I would be very surprised.
> Your #4 assumes he'd be logged coming and going, which in my experience isn't true for construction workers.
It was true of every defense contractor facility I have ever been to.
> Also hiding inside the building isn't necessary. He knew his methodology for getting into the place, which meant accessing the roof. Security wouldn't check the roof once the electrical contact shows the door or hatch is closed.
Well, I was counting on the roof as inside the building; I wasn't clear on that. Still, security should have known the door had been opened at some point, and done due diligence with facilities to find out if there was a reason
> The weakest link in security is human nature. Build me the most complicated lock in the world, and it's only valuable if people remember to lock it and you can't get them to unlock it for you.
Absolutely correct, which is why training and awareness are the most important features of an effective physical security plan.[1]
Basically, I keyed off the author's statement that this client has security and started thinking, WWDSSD[2]? The items I mentioned in my original post are items I would flag if I were inspecting a facility, in addition to what the author mentioned.
[1] Shit, I'm starting to sound like a fucking DSS training pamphlet.
Speaking from experience, though, if you look and act the part, you can get by with a similar amount of SE effort in contractor facilities and/or military bases. I'm not talking about Boeing's skunkworks or Groom Lake, but defense facilities and people in particular get a stereotype that isn't really true.
My uncle managed to get into a nuclear power plant with the wrong clearance tag. He was working on two facilities and grabbed the wrong tag when leaving the office.
What he said was scariest is that anyone with access to a commercial printer and lamination machine could easily reproduce them too.
So many people come and go from your average facility. I mean you can get past most gates just by landing a job at the right landscaping company if security is that strict.
It also sounds like the target was in a shared office building, so they likely had minimal influence over security procedures.
I interned at a defense contractor, at a satellite office in a shared space. Everyone (including construction workers, movers, visiting officials, employees, etc) had to be badged and logged past the reception area. And truly restricted areas required swiping in with a proper level badge.
Obviously, it's just an anecdote, but I would be surprised if similar requirements weren't standard for the defense industry.
I had a rather long career in the military doing a huge variety of things, primarily with physical security. We were pretty good at our jobs (the US is generally militarily good at its job), but there were regular security lapses that would make regular people shudder. And this was involving activities with the State Department and TS facilities and materiel. You're right though: It's not like getting into a corporate satellite office. You're gonna need a badge of some kind (or correct-looking paperwork, et al) to BS your way past the guy at the door. But it's most definitely not the kind of thing people think of it.
"The sign was so authentic that Caltrans officials let it remain in place for eight years, four months and 15 days, until its removal last month under a standard scheduled replacement. "
You'd also be surprised how easily security can be fobbed off by telling them something they've heard a few dozen times before.
You can go to any uniform supply store and pick up some coveralls for a fake company. You would be able to walk into any commercial building with any equipment you want, and excuse it all off with knowing who the property management company is. If anyone asks too many questions you just say "I don't know, I just go where I'm told" and if you're getting nowhere you can get out of dodge by saying "Let me just call the office, make sure they didn't give me the wrong address."
Your #4 assumes he'd be logged coming and going, which in my experience isn't true for construction workers. Also hiding inside the building isn't necessary. He knew his methodology for getting into the place, which meant accessing the roof. Security wouldn't check the roof once the electrical contact shows the door or hatch is closed.
The weakest link in security is human nature. Build me the most complicated lock in the world, and it's only valuable if people remember to lock it and you can't get them to unlock it for you.