Book Review: How I Rob Banks (And Other Such Places)
How I Rob Banks (and other such places) by FC (a.k.a. FREAKYCLOWN) achieves something that’s truly rare. It’s a book about security that’s also fun. It reads like a well-wrought crime novel. FC is a renowned ethical hacker who makes his living breaking into buildings whose owners want to test their physical security countermeasures. He’s a penetration tester (pentester) for doors, locks, and security guards, versus firewalls.
FC has a knack for storytelling. He creates suspense. He has a sense of humor. The book comprises over 70 separate anecdotes, which are detailed enough to be fascinating and informative, but understandably scrubbed of client revealing detail.
Still, what he can share about his exploits is eye-opening for anyone involved in security. He’s broken or talked his way into a wide variety of high security places. These include major banks, a fancy private bank for extremely wealthy people, a government intelligence facility and many others.
To achieve these outcomes, FC employs a number of specialized capabilities. For one thing, he’s an extremely talented and experienced social engineer. He can be like a chameleon, blending into the background or assuming any number of suitable personas in order to gain the confidence of people who should be treating him with a lot more suspicion. He also has a bunch of basic burglar skills, like lock picking, knowledge of electronic doors and so forth.
His experiences drive home some important lessons for security architects. One is that security culture is critical. Many times, FC is able to worm his way into a business by befriending employees who don’t get enough attention from the higher ups. Or, he pretends to be a senior executive or government regulator, and carries certain markers of high status, to silently encourage people to open doors for him that need to be locked. He is very good at understanding how people get bored and don’t register anomalies that they should, like someone pushing a cart full of classified documents down a hallway.
One of his biggest criticisms of security systems he encounters is over confidence in a secure perimeter. This is a major issue in cybersecurity as well, especially in this age of ransomware. Too many times, he shares, once he gets through the door, he finds internal security unforgivably lax or complacent. People tend to assume that if he’s inside the building, wearing a (fake) badge, he must belong there. Wrong! In cybersecurity, the countermeasure for this is network segmentation, the setting up of internal barriers to prevent lateral movement. In buildings, it would e more man traps and locked doors.
Another significant takeaway is a warning not to equate cost with quality in physical security. He shares a brilliant account of getting through a special security door that cost almost $100,000. By observing it (standing in a muddy pond for five hours in the middle of the night) he notices that it’s been set to a default mode that opens the door exactly every 30 minutes.
This is an example of FC’s talent for understanding how people actually think and work. He gets that the installers of the door are not security experts, but rather construction people. They don’t know about security. They don’t care about security. They haven’t been instructed about security, so they put the door in to solve their problems, not the customer’s. The expensive door is exposed to breach.
Physical security is a close cousin of cybersecurity. The two go together. Breaking into a building is often a first step to gaining unauthorized access to their network, which he in fact does in this book. Companies that want to test their physical security are wise to make this investment. The book offers a lot of insights that anyone involved in security will find valuable in getting better at his or her job.