This is the story of an actual break-in, the physical security weaknesses discovered in the post break-in assessment, and what was done to strengthen protection of physical, financial, and information assets, and a computer containing employee information. As always, the names of both people and places (as well as a few facts) have been changed to protect the neglig… uh… the innocent.
The morning after Christmas Joe Kim, the owner of the Pavilion restaurant and a family friend, called to inform me someone had broken through the back door and stolen some money from the register. Joe asked that I come over and take a look. He wanted my help securing the building and strengthening the Pavilion's physical security.
When I arrived, Joe took me to the point of entry. The back steel security door had been pried open. Figure 1 shows a similar door at the back of the unit next to the Pavilion.
A crowbar, or like instrument, had been placed in the opening between the door and the door jamb. The door was then pried/bent enough to break the panic bar latch. An example panic bar is shown in Figure 2.
I walked through the damaged door and asked if the alarm had sounded when the intruder opened the door. "What alarm?" Joe answered. He then led me to the register from which the money had been removed.
The "register" was a simple cash drawer connected to a point-of-sale terminal. There was no apparent damage. When I asked about this, Joe pointed to the register key in the drawer lock.
"We always leave the key in the drawer so we don't lose it," he said. "Besides, we only keep loose change in there after closing. They got less than $20."
Since my area of expertise is actually protecting information and information infrastructure, I asked Joe if the server was stolen or damaged. He took me to the office. The computer was still under the desk and there hadn't been any attempts to log in. "You must have had the door to the office locked," I commented.
Joe shook his head. "No, we always leave it unlocked. We must've just been lucky."
"So were the employees," I thought, since I know the computer contains their payroll information (i.e., names, addresses, dates of birth, social security numbers, etc.).
After the tour, I sat with Joe and made of a list of things he needed to do to deter entry, limit an intruder's time on site, and increase the difficulty in reaching and accessing critical or sensitive systems. The list was simple.
Fix the lock and prevent easy access by crowbar. Local ordinance prohibits installation of a bolt lock on any door marked as an emergency exit. So the best way to hinder attempts to pry a door open is with a steel plate covering the opening between the door and the lock-side jamb, as shown in Figure 3.
This isn't perfect, but it should act as a sufficient deterrent for someone wanting quick entry by applying a crowbar to the latch. And it fits within Joe's budget. A quick call to a locksmith, and the plate was installed and the latch repaired within two hours.
Install an alarm system. No physical structure is entirely secure against a determined intruder, especially a business like the Pavilion with more glass than concrete making up its outside walls. So someone—preferably the police—should be alerted when an intruder gains access. Further, a loud audible alarm will often cause an intruder to leave immediately, or at least spend far less time on the premises. I advised Joe not to spend thousands on alarm installation. For less than $500, he can install alarms on his doors and motion sensors in critical locations within the restaurant. Monthly monitoring costs are less than $50.
Lock the office door. The server has a very strong password, and it would take some time to remove it from its home under the desk. But cracking passwords or disconnecting the server are doable if an intruder is given enough time. An alarm system and a locked office door should provide reasonable and appropriate protection against a successful hack via physical access. (In any case, I plan to discuss encryption with Joe on my next visit.)
Leave the cash drawer open after business hours. Joe removes all cash from the premises when he closes for the day. Leaving the drawer open prevents theft of the drawer or damage when trying to open it onsite. This is exactly what happened at the pizza shop at the other end of the plaza. They were broken into the same day as the Pavilion. The intruders stole a locked safe. Little did they know there was no money in it, but they still took it so it could be opened in a less risky environment. Unlike the safe, however, inability to use the cash drawer would hinder restaurant operations. So, since there is nothing of any real value in the drawer, leave it open. I also suggested he post a notice on the back door that no cash is kept on the premises after closing… and put the cash drawer key on his key ring.
Joe isn't the only small business owner with security issues. Limited budget and ignorance of simple security techniques result in easy pickings for thieves and vandals. As shown in this post, it doesn't take much to provide just enough security to protect business operations and employee data.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.