The first and most important thing at risk while working on a floating office is my life. I also had the boat itself at risk even though I had passed some of the financial risk along to an insurance company, which is what we do with a lot of risks where it makes sense. There was also equipment on the boat that was at risk of not only sinking but of possibly being dropped overboard or being splashed with water from the wake from a passing boat. A sudden thunderstorm could cause problems as well. Depending on lake conditions, too many other boats could cause a problem. The battery in the boat could die, causing me to lose all power and even strand me on the lake. As you can see, whenever you consider what you have a risk, you will immediately start to consider some of the threats that could increase your risks. What I had at risk out there on the boat was everything that I could lose if something really bad happened. Let's call all the bad things that could happen possible threats.

I've already mentioned a few as I discussed some of the risks. The possible threats were a little different than they would be if I did a risk assessment of my home office. Weather could certainly be a threat, and so could simply hitting something as I was moving from one place to another on the lake. There was always the threat of a sudden thunderstorm as well as the threat of being hit by another boat. I wouldn't have had much of a threat of being hit by a car (hopefully) or suffering from a commercial power outage while I was out there. The possible threat of theft was small as long as I kept an eye on my equipment while I was launching the boat. Overall, the threats that could hinder my ability to conduct business from the boat would be lower than those from most places.

I would have been much more vulnerable to severe or any weather changes out there on the lake than I would be in my home office. This is a large lake about 20 miles long. For a few days following a heavy rain, there are hundreds of semi-submerged items floating downstream (remember, this lake was actually a river). If I didn't know the depth of the water that I was in, I would have been vulnerable to running aground or hitting something in water that was shallower than I thought it was. It would most likely just be inconvenient, but just like in any vehicle, I would be vulnerable to running out of fuel. I mentioned not being vulnerable to commercial power failures, but I could easily have been vulnerable to quickly running my only battery down to a point where I couldn't start the engine to get back to the marina. Although I am very careful, I would certainly have been vulnerable to falling overboard. That could be a difficult problem when you're on the water alone.

I really enjoy talking about countermeasures. The word even sounds cool. I had a lot of valuable equipment with me that would be at risk while I was out there on the boat. The countermeasures are the things that help me lower my vulnerability to any of the threats that I might encounter that could cause me to lose what I have.

I've learned a lot during the couple of years that I had my floating mini-office. Some of the countermeasures that made me feel comfortable out there were as follows:

I'm sure there are many more issues that could be addressed in this mini-assessment. We all need to at least be familiar with and understand our risks at home and at work.

Just about every area of concern with security today is a risk management issue. This chapter, and most of the other chapters in this book, are chock full of what I like to call techno tidbits of useful risk management countermeasures. Many of them will be topics you might not have considered in the past as you put together your security plan. I hope this will help external, internal, and information system auditors to recognize several gaps in their audit processes.

On every one of my team's penetration tests, we found at least one lock (either interior or exterior) in the building that wasn't functioning properly. This provided us with easy access to buildings and rooms that we shouldn't have been able to get into so easily. If employees are trained for just a few minutes on how to check to see if the locks on the doors that they use every day are working properly, this vulnerability can be all but eliminated. Building maintenance teams should also take a close look at all locks at least twice each year. Slightly misaligned strikes on the doorframes are the most common problem that we find. This is a serious problem, in that it defeats the purpose of the dead bolt feature of the lock. It takes me less than a second with my trusty fingernail file to see if a particular lock (bolt) has this problem. If it does, I'll know (and have the door opened) in a few seconds.

I know these can be faked, but I still think that it is much better to have some form of visible identification worn by every employee at all times. Most of the companies that hired us did not have a policy requiring employees to wear their corporate ID badges all of the time. This made our social engineering attempts much easier. Once we were inside the buildings, it was as if everyone just took it for granted that we belonged there. Not only were we inside their buildings, but were also inside their firewalls and intrusion detection systems.

Employees can be somewhat trained to even detect fake ID badges. I was working for a large company that did require employees to always wear their ID badges when they were on company property. This was back in the days when color printers were just starting to show up in homes and offices. I created a fake ID that was intentionally made without any thought of quality control. The first time I wore it into the building instead of my real ID, I suspected that I would be stopped immediately and questioned about it. This was a security project, so I was prepared to explain myself. To my amazement, I never had to explain anything because it was never questioned. For the next three months, I wore it everywhere and not one person noticed it. During one of our security meetings, I told everyone in our group about my little experiment and most people were quite surprised that it was never detected.

Part two of my experiment had the most interesting results. I created a picture showing my two personal employee badges side by side. The fake one was quite obvious when seen next to the real one. We began to teach people how to take a slightly closer look at the badges that people were wearing as they walked through our buildings. From that time forward, I only wore my fake ID when I was conducting security awareness training for a group of employees. I was amazed at the number of my friends who had been through a version of the training and would spot the fake ID as I was walking past them on the way to another training class. Some would spot it from 10 feet away. These are the same people who didn't even notice it when they sat in my office just 3 feet away prior to being made aware of the threat. AWARENESS TRAINING WORKS!

As with everything else, these past few high tech years, shredder technology has changed considerably. Our team had gotten really good at putting strip-cut papers back together again years ago. We used to take bags of strip-cut documents that we found at the clients site back to our office during the test. Frequently, the bags of shredded documents were sitting outside in or near a dumpster where we simply picked them up and put them in our vehicle. Most of the time, documents that were strip-cut shredded all fell neatly into place in the bag or box where they were stored waiting to be disposed of. Our team was able to reassemble many of these documents within a few minutes. We would even take a document and paste the strips on a piece of cardboard in the shape of a Christmas tree, spreading the strips out as they were glued to the cardboard. Even with up to an inch between strips, the documents were easily readable once reassembled. We never even attempted to reconstruct a document that had been sent through a cross-cut shredder.

When conducting a physical penetration test, the company's phone books were the first things that we went for. Once we got our hands on a corporate directory, the social engineering began. Most corporate phone books are laid out in a way that conveniently shows the entire corporate structure as well as chain of command, building addresses, and department titles. That kind of information also let us know the order in which to try entering the various buildings if there were several. Wherever the human resources department was located was usually where we went last. Here's why. As we tried to enter all of the other buildings by simply walking in the door like we belonged there, we were frequently challenged by a receptionist and asked where we were going. Our social engineering answer was always the same: “We were told that this is where human resources is located and we're here to fill out a job application.” In every case, the receptionist simply sent us in the right direction. We thanked her or him and walked out the door and directly into the building next door to try the same con. The phone book even gave us the human resources manager's name to drop if we needed to be a little more convincing that we belonged there but were simply lost. It also gave us the rest of the important people in the organization whose names and titles we could drop if we needed to when challenged. In addition to the names in the directories, most contained the physical location and chain-of-command ranking for the most important person in each department. It was often their offices, file cabinets, and trashcans that we spent the most time in during our nightly visits.

Employee awareness of the importance of a corporate directory will help ensure employees know how to safeguard this valuable corporate property. Old directories are still quite accurate, especially regarding buildings and department locations. They should be burned or shredded rather than simply thrown into the dumpster (we might even get hit if you throw them in while we're in there looking for goodies).

If paper directories can be eliminated altogether that would make our job a little tougher. Everything that you do to make it a little harder for the bad guys will make you a less likely target—they're looking for an easy mark. Online directories are better only if you don't let the social engineers get into your building. Once we were inside, we began looking for a monitor with the infamous sticky pad note on the side with the person's login id and password written on it. Once we logged onto the network as them, we could usually get to an online company directory if there was one.

Let me address one additional countermeasure while I'm on the subject of the login ID and password being written down and attached to the monitor or under your keyboard. Maybe that doesn't happen where you work, but we found at least one person who had done this on every job that we were hired to do. There is another reason we like to use someone else's login ID and password to get onto their networks. If we are able to do that, not only are we on their network on the inside of any firewall, but everything that we do will show up in some log as being done by the person who let us log in as them. Many larger companies now use at least some form of two-part authentication using either biometrics or a handheld authenticating device of some type to attain two-part authentication. Fortunately, some forms of biometric access control are getting to be very reasonable in price. Everything you do in the way of authentication will greatly reduce your vulnerability in this form of instant identity theft.

This was one of our most successful entry techniques regardless of the security procedures at the building. For some reason, people in the outside smoking areas didn't ever question our being there, and we were able to eventually walk in right behind them as they went back to work. We found that many corporations had good security at their main entrance points but were lacking at other entry and exit points. Members of our pen testing team were able to gain access on several occasions through parking deck or garage entry points that required card access. We would simply follow someone who was headed to the door and walk in behind him or her as we were pretending to search for our access cards that didn't exist.

I have found it very interesting to learn things about people, in general, from the very people I have trained over the past three decades. I think about this often as I write about, or present on, topics relating to security. One very encouraging aspect I notice is that employees really do want to do whatever they can to help with overall security. It's amazing to watch their awareness level rise as I describe certain scenarios. There is something else that I have been saying for decades: “By far, the least expensive and most effective countermeasure for the overall security of any organization is the employees of that organization.” If the employees of an organization are trained and taught to be aware of anyone not wearing proper identification where identification badges are used, the corporate security posture can be greatly increased.

I can't emphasize enough the need to train all of your second and third shift employees, and especially your janitorial services people, about the threats of social engineering. Obviously, pre-employment screening and possibly bonding are essential for any outside firm that you allow inside your buildings at any time. This is especially true for building access outside the normal 8 to 5 Monday through Friday standard work schedule. Frequently, these people have access to the master keys for a large section of the building and sometimes the entire building. They need awareness training to better prevent them from becoming victims of bad-guy social engineers who would like to borrow their keys for a minute or who get them to open a certain room.

This team should also immediately know whom to contact should they see anything suspicious that should be reported. If there is no immediate supervisor on duty during the evening or night shifts, everyone on that shift should know how to quickly contact the security forces. It can be very dangerous for them to approach a stranger themselves in an attempt to get them to leave.

This suggestion may not seem to fit in the context of this book, but let me mention it anyway. There is another very good reason to train your janitorial team (at least the team supervisors) to be extra watchful during the evening and night shift work hours. I have been teaching bomb recognition classes for the past 20 years. These same social engineering skills and physical building penetration methods could apply in any situation where the collective bad guys are trying to get into your building. The eyes and ears of the people who work in your building every day are critical when it comes to detecting anything or anyone unusual in the vicinity of the building. Bomb recognition training for key individuals and having an effective bomb incident plan are countermeasures that can be employed with considerable effect.