Finance Monthly April 2020 Edition

Penetration Testing This is where we put a company’s current security protocols to the test and attempt to penetrate the building. We then suggest further procedures for implementation to keep your staff and assets safe. We have penetrated financial institutions, airportsandbusinesses working in sensitive areas. How do you approach these cases of penetration testing and TSCM (Bug Sweeps)? Our penetration testing teams are regularly tasked with planning and physically penetrating sensitive corporate buildings nationwide, however, there’s a specific case I’d like to share, which perfectly illustrates the process. We were requested to orchestrate an attack on a bank. It almost felt wrong - as if we were planning a bank robbery or the Hatton Garden safe deposit burglary. We had to keep reminding ourselves that the bank had requested this and that we had lawful authority. 1. Information Gathering The first phase was the information gathering. Thiswasmainly executed by conducting open-source research into the bank’s location, obtaining building interior layouts, clients, staff and any information that could be graded as potentially useful to the penetration. 2. Vulnerability Analysis The second phase was the vulnerability analysis stage. This consisted of many hours of static observations monitoring multiple exits, payingattention to the routine comings and goings, deliveries, periods of increased footfall, methods of entry, identification passes and monitoring the current security protocols in place. This was a difficult stage, not attracting third- party attention, sparking a security alert at the bank or worse, still attracting police attention. Due to the excellent fieldcraft of our expert penetration testers, none of the above was experienced. 3. Exploitation This is the planning phase which takes into account all of the information gathered in phases 1 and 2. We settled on two methods of penetration. One was an overt method and the second was a covert method. 4. Overt Penetration Method We decided on courier delivery. Several names of current employees were identified in phase 1 and we had confirmed that one, in particular, was still working at the bank. We entered the bank via a trade entrance and began to relay our cover story to security personnel. Worryingly, we weren’t requested to provide any identification to support the fact that we were a bonified courier or indeed who we said we were. We were signed in, in a false name and given a security fob to access the building unaccompanied. Our courier was able to access the desired floor of the bank where therewas a receptionwith amember of staff behind it. We were unable to gain any further access without being observed so the courier withdrew after delivering the parcel. 5. Covert Penetration Method The covert method was for the penetration tester to get comfortable in the lobby of the bank close to the security barriers during the busy morning rush of staff entering the building. The penetration tester then selected a victim and brazenly timed his run, What are the most common cases you work on when it comes to corporate investigations? Corporate investigations are very diverse and we provide bespoke investigation plans to suit the objective and budgets of our clients. Our most common services are: Technical Surveillance Counter Measures (TSCM) More commonly known as bug sweeps. A large proportion of companies conduct regular bug sweeps to ensure that there are no eavesdrop or video cameras covertly installed within their business premises. Absenteeism Certain businesses have an absenteeism culture which in some cases when investigated if the suspicion isn’t already prevalent, are proved to be fraudulent. Vehicle Tracking This has proved useful when businesses suspect that employees (such as sales personnel) are not meeting their requirements in relation to visiting customers or have inflated mileage expenses, etc. Surveillance This is a powerful tool and we have successfully proven that company directors have been inappropriately involved with competitors, as well as intellectual property theft, breaches of contract, moonlighting and company thefts. Lie Detector/ EyeDetect Examinations This has been deployed to identify culprits in large scale company thefts. BANKING & FINANCIAL SERVICES - CORPORATE INVESTIGATIONS 31 www.finance-monthly.com