Smoking is Hazardous to Facility Security Health

This is a vulnerability that most companies have. Fortunately it can be addressed fairly quickly for little or no cost, depending upon the security measures currently in place.

A retired friend of mine liked to demonstrate this vulnerability to security managers and senior executives, with the CEO or other senior executive being his accomplice. (He would obtain a “get out of jail free” letter from the CEO in advance, stating that he is performing a security test and asking the person reading the letter to escort him to the lobby and then call the CEO’s office. He would need this letter only once out of every dozen or so tests.)

My friend would find an outside smoking area in the rear of the building or a courtyard, and hang out there with a home-made ID badge similar in color scheme to those issued by the target company, but with a different company name. Not a countefiet badge, just something similar. He put the badge around his neck or clipped it on backwards to obscure clear view. (Typically only at an airport or other critical infrastructure facility will employees ask to see the face of your ID badge.)

He would stand slightly away from the building talking on his cell phone (i.e. a common behaviour). If there were any security cameras, he would position himself within the view of the cameras, so he could later demonstrate how he obtained access. While talking on the phone he would mention the name of some current company project or business unit, so those around him assume that he’s part of the gang.

Now comes the tricky part. He would follow the last smoker going back inside the building and say, “Excuse me, could you direct me to the front lobby. My escort was supposed to come back to get me, but I need to get back to work and he must have gotten stuck in a meeting or something.” This would work especially well if it was raining or cold outside.

He would continue, for example, “I think it’s down this hallway, two rights and a left.” Most of the time the person would NOT escort him, but would simply confirm that his directions were correct. (If confronted directly about his identity and what his business was in the building, he simply showed his “get out of jail free” letter.)

After confirming his directions, he would start walking towards the lobby, but when alone in a hall would change his direction, and head straight for the CEO’s office. He would present himself and the letter to the executive receptionist or the CEO’s assistant. Much of the time the CEO was surprised to see him. Sometimes he was expected to show up, because the CEO had already done a “dry run” of the technique and had seen the vulnerability.

NTA monitor reported this growing vulnerability on its website in February 2007 in an article titled, “No smoke without fire.” The article reports their test (the bold emphasis is mine):

In a recent social engineering test undertaken by NTA, a tester was able to easily gain access to a corporate building through a back door that was left open for smokers. Once inside, the tester requested to be taken to a meeting room, claiming that the IT department had sent him. Even without a pass, he gained access unchallenged and was then able to connect his laptop to the VoIP network via a telephone point.

Thus it is clear that this vulnerability should be of concern to both physical and IT security managers as well as to management.

Any perimeter door and any room with network connection points for computers or phones should be subject to strict security access policy that is monitored, enforced and audited. Additionally, for all such areas, security education is critically important.

I have also found several companies who do have very good security access for smoking areas. The ground floor smoking areas require exiting and re-entering the building at a security-manned lobby by use of an access card. Visitor escort is visually verified by a security officer. Third floor and higher smoking balconies are not directly accessible from the street and no trees or other means exist to facilitate unauthorized access to the balcony smoking areas. There are no second floor smoking balconies without strong video and access control security measures.

You can test the effectiveness of your own facility’s security policy for smoking areas (is there one?) simply by asking people who are outside smoking, “What is the security policy regarding the use of this door?” In the past six months I have asked that question in the smoking areas of dozens of buildings, and only at one company have two employees independently given me the same answer. I am not saying that policy knowledge alone will suffice; just that I didn’t find policy knowledge common.

How is smoking affecting the health of your facility’s security?

Best regards,
Ray Bernard


Leave a Reply

Your email address will not be published. Required fields are marked *