When we carry out penetration tests on businesses, possibly the most crucial part is choosing the disguise and persona. There’s a lot more to it than sticking on a hat and glasses and remembering a script. After all, a lift inspector skulking around the conference room might look a bit suspicious.
We always need to ensure that our ‘disguise’ is befitting of the area we want to access. Need to poke around the finance department? Better go for someone in authority, perhaps someone carrying out an audit. No one wants to engage in unnecessary conversation with an auditor anyway, so they usually get left to their own devices.
Making it past reception is often the biggest hurdle, so once we’ve smashed that, we’re off to cause chaos. And while our penetration tests are – believe it or not – tests, we want people to pass, which is why we’re always sharing tips and tricks you’ll need to foil criminals (or our own penetration test attempts!).
So with that being said, here are three key characters to look out for – and how to handle them.
Mr Invisible
When was the last time you greeted the man who comes to empty the sanitary bins with more than a curt nod? Would you recognise if it was a different person to the week before?
The truth is that a person who shuffles in with their head down, dressed for an unpleasant job, doesn’t draw much attention. Working on a busy reception might mean that you don’t know this person’s name and probably don’t know what day of the week they’re due. This gives a simple way in for criminals.
When working on the front desk, part of your job is controlling who comes in and out. Criminals will do whatever it takes to sneak past you, and one of the easiest methods is by being invisible.
How do we stop Mr Invisible?
- Get to know him. Find out his name, talk to him about the weather. Build a rapport.
- Question new Mr Invisibles. “Where’s Neil this week?” – a simple question like this could catch a criminal off guard.
- Check their authenticity. Make sure you know what company they’re from and can verify that they’re an actual employee. Keep a record of who is due to arrive and when.
Ms Perfect
There are a lot of Ms Perfects, which can make them hard to catch. They come in many different forms, but they all have one thing in common – they’re super nice and hard to say “no” to.
If they tell you that they’re the finance director’s wife and they need to pop upstairs to drop something off for him, who are you to question that? Perhaps a florist has just turned up and explained that she’s here to deliver flowers to Sheila on the second floor – are you going to try and stop her? Or maybe she’s a new employee and was told that reception would buzz her up this week until her badge gets sorted.
She’s bubbly, she’s chatty, and there’s absolutely nothing about her that screams ‘criminal’ or even gives the slightest hint of nerves.
How do we stop Ms Perfect?
- Just because she’s nice, it doesn’t mean she’s legit. Ask a question to throw her off. If she claims to have started this week, ask her who her manager is and which office she works in.
- Make a courtesy call. Give the finance director a head’s up that his wife is on the way up – if he tells you he’s divorced, this would be cause for suspicion!
- Ask her to wait in reception. You have a strict visitors’ policy and whoever they are here to see will come down to collect them in person.
Mr Authority
Mr Authority is a hard one. He can make us feel awkward, belittled, or like we might get in trouble for not doing as he says. He’s the guy that arrives with a clipboard, tells us he’s here for an important reason, and has that no-nonsense attitude.
He could also be a manager from head office, a CEO from a partnered business, or a police detective. He might even be reluctant to give you an explanation. He’s here to see the operations director and has been instructed to go straight on up – he doesn’t have time for the receptionist’s questions.
There’s only one way to defeat Mr Authority – you have to be brave and stick to your guns.
How do we stop Mr Authority?
- Don’t let him pressure you into letting him in – you’re there to do a job and part of that job involves the security of the entire company.
- Ask for identification. If he’s a police officer, he should have a badge; if he’s an auditor, he should have documentation.
- If he’s so important, he will understand the importance of security. He shouldn’t mind being asked to wait in reception for someone to come and collect him.
Security is Everyone’s Responsibility
It goes without saying that some of these people are inevitably going to make it past reception, which is where it’s handed over to the next line of defence – every other employee in the company.
Whilst interrogating every stranger you see in the corridors might not be practical, keep an eye out for people who look out of place.
Why is someone dressed in dirty overalls sitting on a laptop in the meeting room? Why is someone wearing a suit pottering around your kitchen? Here is where we need to be asking questions.
If you don’t feel comfortable approaching the person yourself, raise your concern to your manager. They can then take the appropriate action.
Want to know more about keeping your business safe from intruders? Check out our penetration-testing services.