PCs

Anatomy of a small business break-in

This is the story of an actual break-in, the physical security weaknesses discovered in the post break-in assessment, and what was done to strengthen protection of physical, financial, and information assets.

This is the story of an actual break-in, the physical security weaknesses discovered in the post break-in assessment, and what was done to strengthen protection of physical, financial, and information assets, and a computer containing employee information.  As always, the names of both people and places (as well as a few facts) have been changed to protect the neglig… uh… the innocent.

The morning after Christmas Joe Kim, the owner of the Pavilion restaurant and a family friend, called to inform me someone had broken through the back door and stolen some money from the register.  Joe asked that I come over and take a look.  He wanted my help securing the building and strengthening the Pavilion’s physical security.

When I arrived, Joe took me to the point of entry.  The back steel security door had been pried open.  Figure 1 shows a similar door at the back of the unit next to the Pavilion.

Example of undamaged door

 

Figure 1

A crowbar, or like instrument, had been placed in the opening between the door and the door jamb.  The door was then pried/bent enough to break the panic bar latch.  An example panic bar is shown in Figure 2.

Panic Bar Example  Figure 2

I walked through the damaged door and asked if the alarm had sounded when the intruder opened the door.  “What alarm?” Joe answered.  He then led me to the register from which the money had been removed. 

The “register” was a simple cash drawer connected to a point-of-sale terminal.  There was no apparent damage.  When I asked about this, Joe pointed to the register key in the drawer lock. 

“We always leave the key in the drawer so we don’t lose it,” he said.  “Besides, we only keep loose change in there after closing.  They got less than $20.”

Since my area of expertise is actually protecting information and information infrastructure, I asked Joe if the server was stolen or damaged.  He took me to the office.  The computer was still under the desk and there hadn’t been any attempts to log in.  “You must have had the door to the office locked,” I commented. 

Joe shook his head.  “No, we always leave it unlocked.  We must’ve just been lucky.” 

“So were the employees,” I thought, since I know the computer contains their payroll information (i.e., names, addresses, dates of birth, social security numbers, etc.).

After the tour, I sat with Joe and made of a list of things he needed to do to deter entry, limit an intruder’s time on site, and increase the difficulty in reaching and accessing critical or sensitive systems.  The list was simple.

  1. Fix the lock and prevent easy access by crowbar.  Local ordinance prohibits installation of a bolt lock on any door marked as an emergency exit.  So the best way to hinder attempts to pry a door open is with a steel plate covering the opening between the door and the lock-side jamb, as shown in Figure 3.

     This isn’t perfect, but it should act as a sufficient deterrent for someone wanting quick entry by applying a crowbar to the latch.  And it fits within Joe’s budget.  A quick call to a locksmith, and the plate was installed and the latch repaired within two hours.

    Door with security plate

    Figure 3

     
  2. Install an alarm system.  No physical structure is entirely secure against a determined intruder, especially a business like the Pavilion with more glass than concrete making up its outside walls.  So someone—preferably the police—should be alerted when an intruder gains access.  Further, a loud audible alarm will often cause an intruder to leave immediately, or at least spend far less time on the premises.  I advised Joe not to spend thousands on alarm installation.  For less than $500, he can install alarms on his doors and motion sensors in critical locations within the restaurant.  Monthly monitoring costs are less than $50. 

  3. Lock the office door.  The server has a very strong password, and it would take some time to remove it from its home under the desk.  But cracking passwords or disconnecting the server are doable if an intruder is given enough time.  An alarm system and a locked office door should provide reasonable and appropriate protection against a successful hack via physical access.  (In any case, I plan to discuss encryption with Joe on my next visit.)

  4. Leave the cash drawer open after business hours.  Joe removes all cash from the premises when he closes for the day.  Leaving the drawer open prevents theft of the drawer or damage when trying to open it onsite.   This is exactly what happened at the pizza shop at the other end of the plaza. They were broken into the same day as the Pavilion.  The intruders stole a locked safe.  Little did they know there was no money in it, but they still took it so it could be opened in a less risky environment.  Unlike the safe, however, inability to use the cash drawer would hinder restaurant operations.  So, since there is nothing of any real value in the drawer, leave it open.  I also suggested he post a notice on the back door that no cash is kept on the premises after closing… and put the cash drawer key on his key ring. 

Joe isn’t the only small business owner with security issues.  Limited budget and ignorance of simple security techniques result in easy pickings for thieves and vandals.  As shown in this post, it doesn’t take much to provide just enough security to protect business operations and employee data.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

11 comments
Oz_Media
Oz_Media

I think anyone who doesn't understand the most primary concepts to securing a business should not be in business anyway. I always wonder why clients invest in physical security AFTER that fact. They will do it all the very next day after a break-in, why not as a preventative effort instead? Cheap baystards.

reisen55
reisen55

Excellent small business story. And the idea of leaving the cash register open is brilliant. If you want total server security, but this is for the truly paranoid - BIOS password protect the server. Whoever steals it would have to spend at least some time on that one. Encryption of key data is another good idea.

Neon Samurai
Neon Samurai

cheers for sharing a real life example case

cg.dorn
cg.dorn

this is just a good set of tips for a retail environment in general. Not only that, they can be applied to other businesses as well. I really like the tip of making it obvious that there is nothing of value to take. Limit the damage is there is a break in. This can be a good rule of thumb for both physical and logical intrusions.

Madsmaddad
Madsmaddad

That's because you live in God's country, where the natives are friendly, and there isn't a crime problem, only a snow problem. And it's not Queensland!

Neon Samurai
Neon Samurai

For mobiles, bios password, hard drive boot and truecrypt is a must. admin passwords and hard drive first boot on servers and desktops also. Ideally, truecrypt them also though it means a shared office passphrase and having to type in a server passphrase when rebooting. If you can somehow automate truecrypt without canceling out it's purpose then you could do all machines in the business. bios admin password, boot loader password and hard drive first bootable are all good ideas for any machine though.

graham.moore
graham.moore

Instead of using a blocker plate, I'd recommend a full length, through bolted steel astragal on the back door. Windows should have ballistic rated (12 mil) security film installed. If there is a safe on the premises, make sure it's a burglary chest and not a fire safe. If the safe weighs less than 800 lbs, bolt it to the floor. Add a flashing light to the (loud) alarm siren installation. It further rattles the intruder and gives the alarm runner or police a visual indication of where to go when they are approaching the scene.

Oz_Media
Oz_Media

Actually the problem is with natives, we saw a lot less snow than England did again this year. It snowed one night and we had about an inch on the ground for a day, roads cleared completely within hours. Crisp but sunny, hanging on the beach ever since. We then had a snowfall last week, about 5 inches povernight. I noticed around 11:30Pm hopped in the truck and went driving all over town in the fresh snow. Having a 4X4 it's very rare to get a chance to use it around here and engaging it helps keep the front transaxle clean and lubricated. The next morning the roads were clear again, about aninch or two left on lawns etc for a few days. I was at the beach having a few beers with a buddy yesterday; again, it was still chilly (around 10 Celcius/Centigrade)but really gorgeous and clear views of the mountains, white topped and sparkling with lights at the ski resorts. Now as for natives, you have a big problem if you live downtown and sell crack but other than that it's pretty tame. Atill doesn't stop B&E's though, having been in the commercial and residential security business for quite a few years now there's a lot of money to be made in the security/alarm business and it's a very competitive market where the ball is always in the salesperson's court. I'm sure you had a point in there also though, perhaps you need a holiday to Vancouver! I know I didn't have a clue what it was really about when I lived in the UK either.

jerry~Beans
jerry~Beans

When i bought my latest house, i had a (good) locksmith come out for inspection and re-keying. I saw him pull up, then he disappeared down the street for 15 minutes, before he came in. I asked him where he went, and he said he was checking my neighbors' locks: "No point in putting in Schlage if everybody else has Kwikset. There's no such thing as a perfect lock, but that's okay-your lock just has to be a little bit better than your neighbors'"

AnsuGisalas
AnsuGisalas

The one that works in defence : "What's the minimum amount of visible effort needed to shunt the potential perps off to the next potential victim"

Oz_Media
Oz_Media

But only to see who else on the block needs better security and to check window stickers to find out who's monitoring the local systems. The easiest way to canvass business is to see who else on the block needs you, place a quick call to your call center and have them call while you are in the neighbourhood. The easieast way to sell to a home owner is to mention you are workign on their street. It goes back many decades, window washers still make it a standard practice. Find out who's home, call in the addresses and the call center sets up your appointments while you work away. "One of our security specialists is working on your block today and would be able to stop by and evaluate your security system to see that it meets the security of other homes in yoru neighbourhood. Theives always seek out the weakest link. He'll be finished training the new homeowners down the road by 2PM would you mind if he came and saw you around 2:15?" It's easy business and I've seen more than one alarm/lock company do it, in fact its almost common pracice to scope out neighbours homes. Roofers do it, window installers do it... Mind you, the installer probably say it was so you can have a beter lock than your neighbours too.

Editor's Picks