4 minute read
COPENHAGEN’S CORPORATE JAMES BOND
ONE AMERICAN EXPAT IS BREAKING INTO DENMARK’S CRITICAL INFRASTRUCTURE, GOVERNMENT OFFICES AND MAJOR COMPANIES IN AN EFFORT TO SAFEGUARD THE COUNTRY FROM GLOBAL SECURITY THREATS.
IIT’S 9 A.M. MONDAY morning and a friendly American expat named Jason wanders into a downtown Copenhagen office. “I just started working upstairs and wanted to introduce myself,” he says to the front desk attendant. “Gosh, your coffee smells amazing,” he adds after some polite small talk. When she offers him a cup, he accepts and laments about his lingering jet lag and the broken coffee machine in his office that won’t be fixed until Friday. She invites him to return for coffee every morning that week.
Over the next few days, Jason learns which cleaning service the company employs, and when they arrive, he clones the attendant’s RFID badge and swipes a company lanyard. From a nearby cafe, he watches the cleaning staff arrive through the back entrance and uses his stolen badge to scan into the front entrance. Donning the stolen lanyard, he pretends to be a poor employee working late into the evening while lockpicking his way into every employee locker, stealing corporate documents, pilfering project source code, and planting bugging devices.
But Jason is neither thief nor spy. His name isn’t even Jason. He’s Brian Harris, a physical and cybersecurity penetration tester hired by the company to break into its own office. It’s an unusual profession, one that Brian has honed by breaking into major companies, government facilities, and critical infrastructure across the globe over the past decade — and, for the past three years, in Denmark.
Growing In Global Importance
Less than a year before Brian relocated to Denmark, the Nordic nation’s largest telecommunications company was the target of a high-profile case of corporate espionage. In March 2019, TDC Holdings was ready to award Ericsson with a lucrative contract to upgrade its network to 5G. At the last minute, Huawei surprised TDC with an updated bid undercutting Ericsson — despite the confidentiality of the competing companies’ proposals.
“The resulting investigation by TDC would, over the next four weeks, take the company into a kind of paranoid twilight zone,” reported Bloomberg News. “Its senior management fell under suspicion; its offices were potentially compromised; and employees reported being tailed by shadowy strangers.”
TDC ultimately selected Ericsson for the contract, but the event illustrates the importance of physical security in a world that has spent decades enhancing cybersecurity.
WHAT IS PHYSICAL SECURITY?
Physical security is the protection of personnel and property, networks and data, and hardware and software from physical attacks. However, Brian says, most companies have never done a physical pentest to determine vulnerability to such an attack.
“Many companies think they’re safe as long as they have locks and alarms,” he says. “Imagine if companies thought they were safe from cybersecurity threats as long as they have firewalls and antivirus, without ever testing these systems.”
However, a company’s physical security is often easier to compromise than its cybersecurity, Brian says. “In my earlier example, I was able to compromise that company in less than a week,” he says. “Could you have done that through the internet? Probably, but you’d have to be very sophisticated and very lucky to do so that quickly and completely.”
Teach What You Know
To expand the expertise required for successful physical pentests — a rare combination of covert entry, cybersecurity, and charisma — Brian has taught a course on the subject for several years. His five-day course covers everything from lockpicking and safecracking to alarm bypassing and social engineering.
Jessika, a professional in Denmark’s transportation industry, attended the course to better contribute to her employer’s growing investment in physical security assessments. “A one-hour discussion with Brian was already enough to know that five days would significantly improve my technical knowledge,” she says. “I’m very impressed by the amount of information we got on the technical side of black teaming, and I’m looking forward to using it in real-life cases.”
Another former student, Andrada Son, a cybersecurity headhunter, says her new skills will prepare her for what she anticipates to be a growing market in her industry. “Many companies are opening their eyes to the importance of physical security,” she says. “Already, some European countries are making rules and regulations for companies that require a high degree of security, such as critical infrastructure. First, the companies under pressure of legislation and regulations will start demanding [these services] from their suppliers, and it will be a chain reaction as other companies follow their lead. Soon [physical security] will be a booming market.” THE-INTL Students interested in Brian’s course or companies interested in his security services can find him on LinkedIn (in/brian-harris-a3838199).
Duping The Danes
Cultural observation is key to the social engineering aspect of Brian’s work. “When I travel for an assignment, I play tourist for a while to see how people treat one another, how situationally aware they are, what the cultural norms seem to be,” he says. “For example, Danes are generally friendly, helpful, and trusting. This makes them very vulnerable to what I do.” However, every culture has its vulnerabilities. In Germany, for example, Brian might opt for an authoritative approach. “Official-looking documents and badges, citing bureaucratic procedure, and acting like an authority figure are more likely to work in Germany, but I would never take such an authoritarian approach in Denmark.”
Although Brian’s foreignness might present a challenge to blend in, he says it’s more of an asset than a liability. “I’d never pretend to be Danish,” he says. “But I can feign naivete in a way that a Dane can’t. By playing the role of a tourist or a new arrival — like I did in the example I gave you — I have an excuse to ask questions and break cultural norms.”
SARAH REDOHL WRITER & JOURNALIST
Originally from the American Midwest, Sarah’s work has taken her all over the world, from Amsterdam to Zambia and many places in between. She’s worked in print, broadcast, and online newsrooms; produced documentaries and virtual reality news experiences; and developed innovative journalism curricula for her alma mater, the University of Missouri—all for the sake of telling a good story. Sarah has travelled to more than 50 countries, reported from at least a dozen, and lived in several before settling in Copenhagen with her partner and their two (well-travelled) cats.
