So I’m going to do a lot in this post to “protect the innocent” or is the uninformed, but if I get to descriptive, you’re intelligent people you might just figure out where I was.
So I have an appointment at what could be, well it is considered a government infrastructure location. So this location was pretty centralized within the city. To add to it, it had nothing on the perimeter that would greatly attract attention to it. I mean no armed guards patrolling the facility, turrets with with spot lights or a multi-tracking surveillance system with bio-metric analysis for access.
So that you get the picture…pretty plain.
So I have a scheduled appointment. So as I’m waiting outside of the facility when what I can only assume was an employee of the facility, not my contact, approached me, a brief conversation determining the reason why I was there and boom…I’m in. No call to verify, no reach out to their colleague, no text, no email not even a yell down the hall. You get the picture.
So I’m passed the perimeter access, in through a few interior access doors and now I’m meters away from the heart of this building, the reason for it’s existence. The reason for it’s existence, I’ll leave out. So I’m placed in what can only be described really as an employee hang out or break area…not even in a monitored waiting area or lobby.
Oh I forgot to add that I was 15 minutes early for my appointment. Was actually going to take the time to study the outside of the facility a little more but that really didn’t happen.
So there I sit and wait. Five minutes before the appointment happens I receive an email:
I’m really sorry but something has come up and I won’t be able to make it to our appointment. I’ve been pulled away to another facility. I hope you haven’t been waiting outside the building too long. I apologize. Can we reschedule?
So a couple things. Here I was in this building, not being monitored in any way from where I’m sitting only meters away from the belly of the beast. My contact had not been informed that I was there. The other employee took my word on face value. Better yet I was given access without any verification, scrutiny, identification verification…I mean nothing.
So wow. I don’t let anyone in my house unless I’ve come to some satisfaction I know who they are, why they’re there and what the intent of their visit is…family excluded. Well most of them.
So where’s the failure. Pretty obvious. There is no security culture engrained into this facility. There’s no belief that security is everyone’s job. There may not be any access control policies…well l know there is, it’s not that enforced as I learned.
A simple risk assessment on the situation really held no weight. So if i was on the on side of the team I would have just figured out how to get in again, but even better I was in already. I might have just been able to go and do enough damage to hurt or even cripple this facility. And walk away. As far as my contact was concerned I was still outside or on my way. The individual who let me in knew who I was to see, and the reason for it but never asked my name.
So lesson. Make sure everyone knows what the policy is. If you have appointments and can’t make it, contact someone on your team to make sure that this person is either not in or if they are in they get out. Oh yeah…I let myself out.
Work on fostering a security culture, it is a mind shift but it is beneficial and you don’t even need to be an infrastructure site to foster this type of environment.
As I always say, Plan the Work, Work the Plan.