How To Break In Anywhere (where security isn’t working)
If you’ve been following this site for a while, you might have seen our burglar’s guide to being wildly successful – and if you haven’t, then you should take a look. ‘Cause you want to break in somewhere, huh? Anyway, let’s be clear about something – we believe that security by secrecy is a flawed approach, and so this isn’t so much a guide for burglars and criminals as it is a list of tips for you, the security professional, who would like to see your facility just that much harder to breach than the next door plant, building or facility. So here we go – we’re going to give you a list of insider’s tips and tricks on how to get in just about anywhere where security isn’t doing their jobs. Hold on tight.
Why is it possible?
Usually, security is there to do one of two things, or both at the same time: either keep someone out (that’d be you, dear burglar), or keep something in (that might be where you’re going, dear burglar). It could be both, but the regular deal is the first of the two. By keeping persons unauthorized out, you keep your secrets and your valuables where they should be at all times. The trouble begins when a few things happen:
– Security is controlled by non-security personell. A surprisingly common problem. Maybe the chief of security (CoS, CSO, call’em what you will) is a former cop? Bad deal. Cops know little to nothing about actual security. It’s just not their jobs, after all. Maybe administrations officers are controlling security? Not their jobs, not in their training. You get the idea.
– Security isn’t updated. Could be due to a lot of different things, mainly money. Security spending is hard to justify, and if you combine it with bullet no. 1, then you’re in deep trouble.
– Security training is lacking, or the personell hasn’t been trained to the specifics of the facility they’re protecting. Good people, bad training. Common problem.
There are a million other reasons why our little page here will work, and it’s up to security professionals to see that it doesn’t. That’ll be the day. Let’s start with some good stuff now, huh?
Information is the master key.
Yes, to anywhere. With the right information, you can absolutely get into, and navigate, any place where you shouldn’t be. That’s the bottom line. Mix in a little luck and a little skill, and you might actually get out again without bullet holes in you or new bracelets courtesy of the state. Handcuffs. We mean handcuffs. Jeez. So where do you start?
Information Gathering for Security Breaches
Gathering information is one thing, gathering the right information is a whole other deal. To do that, you need to get a broad view first, and then narrow it down to the point where you can actually use it.
Pick your target, and look at a few, crucial points you can use to your advantage. Let’s look at a few clues.
– How is the place secured? Know where gates are, know where entry points are. Are there actual human guards there, and what kind of door system to they have? Access cards? Keys? Gate phones?
– Take into account what kind of business this is, or what kind of place it is. Are there deliveries going in and out? Are the couriers and messengers screened to any degree? Do you need an appointment to get in as one of them?
– Do you need something specific to get in? Uniform, access card, a simple package, maybe? Remember that there are many ways to replace the items you need, if you can’t get specifics.
There are a number of tools you can use to get to your information, and we’ll take a quick peek at the general gist of things.
– Observation. Risky, because you could get spotted. A good security operation will see outside its own walls and log cars nearby, notice people circling or watching and so on. Certain (and aggressive) security operations might even approach an observer, take his/her picture, ask questions etc, but those are, unfortunately for security, rare.
– Internet. Google them, use Street View to make a floor plan and look at entry points, vehicle gates etc. This cuts down on the need for personal observation, but doesn’t eliminate it. There’s a big difference there.
– Call the facility. Ask them how you can have something delivered to them, where they’re at, access to the property and what kind of preparations you need to do before a (made up) appointment. Usually, you’ll talk to “civilians” who won’t think about security for two seconds, and will give you everything you ask for.
The last point is known as “social engineering” – a mild form of it at that – and is extremely effective when used properly. When we say it’s extremely effective, what we mean is that it’s the absolute nightmare for anyone in security. Misinformed or ignorant staff members who think they’re doing something good is every security guard’s nightmare, and your instant way to both information and access.
What Most Burglars Don’t Know
…and what they (you?) probably shouldn’t know either, is that in many cases it’s far easier to break in somewhere during operating hours than during the night. The chances of alarm systems going off, things breaking and traces being left are far greater during the nighttime, when physical barriers need to be breached in order to get in.
Walking in an open door is much easier than breaking down a locked one, after all. Done correctly, you can do one of two things; stay inside until everyone else is gone, or simply walk right back out. Which you decide to use depends on why you’re there in the first place.
The Hows
Breaching the security of almost any facility comes down to two methods: either using their own systems against them, or using social engineering to bypass them.
There are a few top ways of getting to where you want to be. Your information gathering should have given you quite a few clues as to what’s the most likely way to succeed, we’ve got a few suggestions.
– Deliver or pick up a package. Pretend to be a delivery person, and bypass the checkpoint(s) (e.g. reception area etc.) by using this ruse. Once you’re past that point, few if any people are likely to check who you are, assuming that since you’re there, you’re authorized to be there.
– Claim to have an appointment, such as a meeting or a lunch date with a medium ranking person.
– Follow another delivery person, or employee inside. Most will assume you belong there, and avoid the hassle and/or embarrassment they perceive it is to ask for ID and access cards. This, certainly, does not apply to security guards, so pick a reception area with a receptionist, for example. There’s a hitch here; many receptions use security guards as receptionists…so watch out.
Getting back out is as easy as pie – usually, every plant and facility wants you to get out, and exit is rarely an issue. Again, the assumption is that if you’re in there, you’re authorized or allowed to be there, and that privilege is yours to give up when you wish.
For Security Personell:
Here are our assumptions;
– “Regular” employees will rarely if ever ask anyone for ID or access cards.
– “Regular” employees will rarely question anyone’s need to be where they are.
– “Regular” employees will often try to “help” someone get in or get out. It’s only polite, right?
– “Regular” employees have no security training, and therefore no understanding of the need for access control.
Given these, it’s security management, and security officer responsibility to coach, take responsibility and overrule if necessary. Being polite and trying to help might be the security officer’s biggest nightmare, because it’s the social engineer’s dream.