Darren Roberts, Senior Computer Auditor at SWAP, reveals a test he devised to assess the security of an organisation, both inside and out.

The scene has been set. You’re ready for GDPR. You have undertaken external penetration tests. You have a specific technical vulnerability strategy. You are proud to inform your clients that their data is safe, thanks to a class-leading technical security infrastructure protecting you from online, external and internal cyber threat. But underneath all of that technical element - have you overlooked something?

The story starts when I was a project manager, working late in my development team with the Duty Data Centre Staff as company. It was about 7.30pm and the hustle of a busy IT department was reduced to the hum of the test bed.

The office was open plan and consequently a busy thoroughfare during the day. All was calm, apart from one chap who breezed down the office. Dressed in a black hoodie with black tracksuit trousers, he remained engrossed in his phone as he walked past me, with a mop slung over his shoulder. ‘Must be a cleaner’, I thought.

However, after he left, I realised that our cleaners wore blue tabards with the company logo - he was not wearing a tabard. He walked through an IT department during an unusual time of the day - there were laptops hanging around, hard drives on desks, test beds running, Blackberrys waiting to be configured etc.

After contacting facilities the next day, they confirmed he was genuine and the cleaning supervisor had a ticking off for not issuing him with a tabard. But this made me think? How was he able to gain access to the building and move around unchallenged?

A year later, I moved into IT audit, concentrating on key ISO27001 controls. Soon I came across customer sites showing off their fine security enterprises using high grade products subject to multiple penetration tests. There was no question - their technical security perimeter was class-leading, but then I thought about my cleaner. The technical security would be superfluous if I could walk into the building and steal or corrupt data from within.

So, could I undertake a test of their physical security perimeter, dressed in a hoodie, and gain access to an area with high risk data? The ‘Hoodie Test’ was born and was an immediate success with clients.

It worked as follows. It had to be as stealthy as possible to emulate, as far as I could, what would happen in the event of a genuine attempt to gain unauthorised access to a building. So only two people were in on it - the senior information risk owner (or equivalent) and the facilities manager. The latter was an important role in the test - only the manager needed to know.

Between the three of us, we agreed a location in the building where I would try to access - this could involve me sitting down at an open terminal, picking up a pre-placed device such as a USB or gaining access to paper stores / cabinets. No social engineering was used - it was a case of get in, move quick and get to where I was supposed to go. After all, that’s what an intruder would do.

The test would be complete under the following outcomes:

  1. I fail from the outset to gain access to the building from the perimeter - client passes test
  2. I gain access to the building but am challenged by a member of staff - client passes test
  3. I gain full access to the area agreed and I did so unchallenged - client fails test.

For scenario 2, a challenge could class as any contact from staff including: ‘Can I help you?’, ‘Are you lost?’ etc. The very fact that I am being approached means that this would restrict my ability to finish the test as I would have drawn attention to myself. Also, on challenge, the hood comes down, out comes my official ID, and we call the facilities manager who speaks to them to confirm what has happened.

The general results of the test produced some variations with some surprising failures - and some pointers to look at if you are reviewing your physical security.

How do you manage access to a facility that has multiple entry points - CCTV can be installed but generally isn’t monitored dynamically so would only pick me up after the event. In any case, I am wearing a hoodie - you can’t see me.

If you use an entry control system, consider auditing logs to analyse where entry points are not used often and close them or use them as fire exits only. Consider a single staff only entrance / exit point. 

How do you manage facilities contractors and delivery points into the building? Perimeter doors left open for these workers were easy pickings. Consider a delivery area whereby goods can be delivered, but a secondary entrance is installed to the inner perimeter. 

How do you advise staff on challenging people in the building if they are concerned? Some staff did not report me because they felt threatened by my appearance - one reported that they were scared I was carrying a knife. So have you got the facility whereby staff can report intruders internally to facilities staff?

And there were conflicts in control - I gained entry to two locations through automatic entry doors that were configured with the requirements of the Disability Discrimination Act. This meant that doors closed approximately 12 seconds after the last person walked through. Plenty of time to tail-gate inside and, in any case, the doors have a mechanism where they open if there is an obstruction. So consider a DMZ style area that gives an initial access to the facility, but install a secondary DDA compliant control.

But it was not without risk itself. Twice I was forcibly ejected by burly members of the facilities team (who were in no mood to reason) and another occasion stopped by the police who thought I was loitering with intent. Finally, when presenting this at seminars, I often get asked - ‘did you do this in a suit as well?’ The answer to this is, yes, I have. However, this test is applied with an element of social engineering - I will cover this in a future briefing.

In conclusion, the hoodie test, in all of its simplicity, covered areas often overlooked or taken for granted regarding human interaction. It is an exciting test to do that resulted in maximum impact to the client to challenge perceptions of physical security risk.

The added value was that many organisations dovetailed the results to protect their own staff - if I could access the facility to steal data, then why not personal belongings as well. And, in the current climate of GDPR compliance, it sends more resonance to organisations to start to take physical security seriously. So, ask yourself, could you prevent a hoodie?