A Picture is worth a thousand vulnerabilities...

Recently I went into a business that was moving. They had various posters and brochures touting all the advantages of this move to a new building. The building was apparently brand new, still under construction and to provide customers with some insight the business posted the new buildings floor plan. It showed the new layout of the business as well as entrances, bathrooms, staff rooms, a security room, the server room, etc. My focus immediately went to the security room, server room and other secure rooms. This floor plan included detailed schematics of all the rooms including which way the doors opened and where all the assets are located. My first thought was that this company , in it’s eagerness to share it’s excitement with customers, opened a potential security hole .

I can understand a company wanting to show the new layout, but perhaps taking off some of the more confidential information would have been a good idea. This floor plan had been blown up to poster proportions and left nothing about the building to the imagination. Let me run a possible scenario past you regarding this.

Let’s call this company LDV, and say they deal with money in some form. John Doe walks into the business. He notices the floorplan, and being a clever soul he immediately notices the information regarding the server room as well as the vault room. John’s lived in this city all his life and has some friends who are on the construction crew for this new building. He manages to get onto the crew and get’s a firsthand look at the Financial company’s layout. He knows the measurements of the rooms and the location of the money as well as security cameras.

Months pass and the building is completed. The company moves into the building and opens successfully. One night the manager gets a call that the alarm has gone off and he goes to investigate. He meets the police and they discover the building was broken into and an undisclosed amount of money and customer information (on a server) was taken.

They check the security cameras only to find the robber covered his face and never faced directly at the camera. He seemed to know where he was going and got in and out before they could get there. They find the vehicle he used abandoned and the police start to lose hope of catching him.
At the post-mortem meeting about the break-in the managers and higher-ups discuss how this could have happened.

A far-fetched example of what can happen when you don’t think about security from literally the ground up.

Here’s another example, with only the facts:
You enter a fast food restaurant, it’s early morning so there are few customers. You see one man at a table drinking his morning coffee and engrossed in his newspaper. There is a woman at the counter ordering food, her familiarity with the employee behind the counter telling you this customer is an employee here on her day off. There are two more employees in the kitchen, cooking and chatting with each other. One of the employees in the kitchen is new and having trouble with something. The plainclothes employee offers to help and goes behind the counter and into the kitchen. On the counter near you she has left her car keys and a company swipe card, it’s a Proxcard II HID. She is gone for approximately 5 minutes, and while she is gone, all of the employees have stopped paying attention to the counter.

What could be done in these 5 minutes?