I used to work for a company that shall remain nameless, just in case their lawyers are reading this. We had a couple of security-related incidents that illustrated just how illusionary physical security can be in everyday companies. Here are two amusing (and true) stories with four serious lessons to be learned from them:

Over The Top

During a particularly stressful roll-out of an important software project, a customer came on-site to supervise (read: micromanage and browbeat) the final development process.

After several grueling days of work, the code monkeys all trickled home late into the evening, while the customer stayed in the office at his own insistence to keep working. He wanted a key to our server room “in case something happened,” which our IT guy wisely refused. He could stay in the office, but the main door would lock behind him and he would have no access to our servers. The IT guy wouldn’t budge, so eventually the customer relented (which should have alarmed us.)

Sure enough, when the customer was all alone later that night, something did happen: The server he was using needed a reboot. (Yep, Windows NT Server, how’d you guess?) A reasonable person at this point would have either gone home for the evening or called the IT guy. Customers, of course, are rarely reasonable, so he opted for Door #3: Break into the server room and reboot it himself.

Our office space was pretty typical, with solid-core doors and reasonably good locks, so there will be no picking locks or kicking in doors in this story. If you’re reading this at work, stop reading for a second and look up. Do you see a paneled drop ceiling? That’s what we had, along with the standard enclosure walls that aren’t load-bearing. Thus, if you pop up those ceiling tiles next to the wall, there’s often a 18″-24″ gap between the structural ceiling and the top of the wall.

Our intrepid customer stood on a chair in the hallway outside the server room, popped a ceiling tile in the grid, and crawled up over the wall in the ceiling gap, lifted out a tile in the server room, and jumped down. He rebooted the server, replaced the tile, and walked out. Not exactly Mission Impossible, but it got the job done. When our livid IT guy discovered the breach in the morning (ceiling tile dust everywhere), the customer was “encouraged” by management to return home and browbeat us from a safe distance.

Lesson #1: Don’t let non-trusted personnel stay in your facility without a minder, even if you think everything is locked down. Locks, after all, are primarily to keep honest people honest.

Lesson #2: Layered security is important. If you’ve ever had to cut a hole in drywall, you realize that an interior wall is 9/10’s illusion and can easily be breached. Spend the extra money to get cage racks for your servers, the kind that can be bolted to the floor and locked.

Fire At Will

The company was growing and we now occupied two floors of the building. We didn’t want strangers wandering in on the floor sans receptionist, however, so a security firm was brought in to recommend and install a door code system for the employees.

When you got off the elevator, there were two frosted glass doors with handles that pulled outward. These were already in place, so the security firm opted to install magnetic latches at the top of the doors. No human bean could force the magnets apart when engaged, so that part worked just fine. To enter, you had to enter your personal code in the keypad to the right of the doors. To exit from the inside, you simply had to approach the doors and a motion detector would disengage the magnetic locks by the time you touched the handle. It was simple, elegant, and expensive.

I came back in lunch just in time for our CTO to be standing outside the newly-secured doors, rather pleased with the new setup. He explained to me how it worked, but something didn’t sound quite right. I asked, “How does that motion detector on the inside work?” He explained that it works on infra-red so that not just any motion will trigger it, but only the body heat of a person. I paused for a second, and asked if I could have a sheet of paper from his notebook. I folded the piece lengthwise to give it some rigidity. Now for the fun part.

I took a breath, “Can I have your permission to set this on fire?” Amused he took out his lighter and handed that to me as well. I lit the end of the paper and then slid it vertically between the glass doors at chest level. I was standing outside the doors, but now the flaming end of the paper was inside the office space, right beneath the motion detector. The heat of the flame triggered the detector, and the doors unlocked.

The CTO, needless to say, was p*ssed. A flaming piece of paper defeated his $$$ security system in under 2 seconds. The elegant solution was useless. I didn’t hear the phone call he made to the security system, but I bet it wasn’t pretty. (In the re-telling, he remembers the flaming paper vector to be his idea.)

Within a week the motion sensor was removed, and a huge red “PUSH TO EXIT” button was installed to the side. I can’t tell you how many days it took before people stopped smashing into the magnetically-locked doors and remembered to push the button first.

Lesson #3: Get a second opinion before you implement a security system. Have another firm (or team) evaluate the first proposal to identify potential flaws.

Lesson #4: Good security is rarely convenient. I cursed that red button nearly every day I worked there. Inconvenient, but much better than the motion detector for that setup. Better still, the glass doors should have been replaced with wood or steel, one with an overlapping lip to thwart lock picking and flaming pieces of paper. (In that case, the motion detector could have stayed.)

—

Do you have any security horror stories to tell? I’d love to hear them.