One American expat is breaking into Denmark’s critical infrastructure, government offices
and major companies in an effort to safeguard the country from global security threats.
Photographs: Brian Harris
Text: Sarah Redohl
It’s 9 a.m. Monday morning and a friendly American expat named Jason wanders into a downtown Copenhagen office. “I just started working upstairs and wanted to introduce myself,” he says to the front desk attendant. “Gosh, your coffee smells amazing,” he adds after some polite small talk. When she offers him a cup, he accepts and laments about his lingering jet lag and the broken coffee machine in his office that won’t be fixed until Friday. She invites him to return for coffee every morning that week.
Over the next few days, Jason learns which cleaning service the company employs, and when they arrive, he clones the attendant’s RFID badge and swipes a company lanyard. From a nearby cafe, he watches the cleaning staff arrive through the back entrance and uses his stolen badge to scan into the front entrance. Donning the stolen lanyard, he pretends to be a poor employee working late into the evening while lockpicking his way into every employee locker, stealing corporate documents, pilfering project source code, and planting bugging devices.
But Jason is neither thief nor spy. His name isn’t even Jason. He’s Brian Harris, a physical and cybersecurity penetration tester hired by the company to break into its own office. It’s an unusual profession, one that Brian has honed by breaking into major companies, government facilities, and critical infrastructure across the globe over the past decade — and, for the past three years, in Denmark.
Growing in global importance
Less than a year before Brian relocated to Denmark, the Nordic nation’s largest telecommunications company was the target of a high-profile case of corporate espionage. In March 2019, TDC Holdings was ready to award Ericsson with a lucrative contract to upgrade its network to 5G. At the last minute, Huawei surprised TDC with an updated bid undercutting Ericsson — despite the confidentiality of the competing companies’ proposals.
“The resulting investigation by TDC would, over the next four weeks, take the company into a kind of paranoid twilight zone,” reported Bloomberg News. “Its senior management fell under suspicion; its offices were potentially compromised; and employees reported being tailed by shadowy strangers.”
TDC ultimately selected Ericsson for the contract, but the event illustrates the importance of physical security in a world that has spent decades enhancing cybersecurity.
What is physical security?
Physical security is the protection of personnel and property, networks and data, and hardware and software from physical attacks. However, Brian says, most companies have never done a physical pentest to determine vulnerability to such an attack.
“Many companies think they’re safe as long as they have locks and alarms,” he says. “Imagine if companies thought they were safe from cybersecurity threats as long as they have firewalls and antivirus, without ever testing these systems.”
However, a company’s physical security is often easier to compromise than its cybersecurity, Brian says. “In my earlier example, I was able to compromise that company in less than a week,” he says. “Could you have done that through the internet? Probably, but you’d have to be very sophisticated and very lucky to do so that quickly and completely.”
"If you have no physical security, you have no cyber security.” - Brian Harris
Teach what you know
To expand the expertise required for successful physical pentests — a rare combination of covert entry, cybersecurity, and charisma — Brian has taught a course on the subject for several years. His five-day course covers everything from lockpicking and safecracking to alarm bypassing and social engineering.
Jessika, a professional in Denmark’s transportation industry, attended the course to better contribute to her employer’s growing investment in physical security assessments. “A one-hour discussion with Brian was already enough to know that five days would significantly improve my technical knowledge,” she says. “I’m very impressed by the amount of information we got on the technical side of black teaming, and I’m looking forward to using it in real-life cases.”
Another former student, Andrada Son, a cybersecurity headhunter, says her new skills will prepare her for what she anticipates to be a growing market in her industry. “Many companies are opening their eyes to the importance of physical security,” she says. “Already, some European countries are making rules and regulations for companies that require a high degree of security, such as critical infrastructure. First, the companies under pressure of legislation and regulations will start demanding [these services] from their suppliers, and it will be a chain reaction as other companies follow their lead. Soon [physical security] will be a booming market.”
Students interested in Brian’s course or companies interested in his security services can find him on LinkedIn (in/brian-harris-a3838199).
Duping the Danes
Cultural observation is key to the social engineering aspect of Brian’s work. “When I travel for an assignment, I play tourist for a while to see how people treat one another, how situationally aware they are, what the cultural norms seem to be,” he says. “For example, Danes are generally friendly, helpful, and trusting. This makes them very vulnerable to what I do.”
However, every culture has its vulnerabilities. In Germany, for example, Brian might opt for an authoritative approach. “Official-looking documents and badges, citing bureaucratic procedure, and acting like an authority figure are more likely to work in Germany, but I would never take such an authoritarian approach in Denmark.”
Although Brian’s foreignness might present a challenge to blend in, he says it’s more of an asset than a liability. “I’d never pretend to be Danish,” he says. “But I can feign naivete in a way that a Dane can’t. By playing the role of a tourist or a new arrival — like I did in the example I gave you — I have an excuse to ask questions and break cultural norms.”
google 优化…
무료카지노 무료카지노;
Fortune Tiger…
Fortune Tiger…
Fortune Tiger…
Fortune Tiger…
gamesimes gamesimes;
站群/ 站群
03topgame 03topgame
betwin betwin;
777 777;
slots slots;
Fortune Tiger…
谷歌seo优化 谷歌SEO优化+外链发布+权重提升;
google 优化 seo技术+jingcheng-seo.com+秒收录;
Fortune Tiger Fortune Tiger;
Fortune Tiger Fortune Tiger;
Fortune Tiger Fortune Tiger;
Fortune Tiger Slots Fortune…
站群/ 站群
gamesimes gamesimes;
03topgame 03topgame
EPS Machine EPS Cutting…
EPS Machine EPS and…
EPP Machine EPP Shape…
Fortune Tiger Fortune Tiger;
EPS Machine EPS and…
betwin betwin;
777 777;
slots slots;
Fortune Tiger Fortune Tiger;
google seo google seo技术+飞机TG+cheng716051;
game game
Fortune Tiger Fortune Tiger;
456bet 456bet
Fortune Tiger Fortune Tiger;
Fortune Tiger Fortune Tiger;
Fortune Tiger Slots Fortune Tiger…
03topgame 03topgame
EPS машины EPS машины;
seo seo;
EPS Machine EPS and EPP…
EPS Machine EPS and EPP…
EPS Machine EPS Cutting Machine;
google 优化…
Fortune Tiger…
Fortune Tiger…
Fortune Tiger…
Fortune Tiger…
gamesimes gamesimes;
站群/ 站群
03topgame 03topgame
betwin betwin;
777 777;
slots slots;
Fortune Tiger…
谷歌seo优化 谷歌SEO优化+外链发布+权重提升;
google seo 外链发布+飞机TG+cheng716051;
EPTU Machine ETPU Moulding Machine;
EPP Machine EPP Shape Moulding…
EPP Machine EPP Shape Moulding…
EPP Machine EPP Shape Moulding…
EPP Machine EPP Shape Moulding…
EPTU Machine ETPU Moulding Machine
EPTU Machine ETPU Moulding Machine
EPTU Machine ETPU Moulding Machine
EPTU Machine ETPU Moulding Machine
EPTU Machine ETPU Moulding Machine
EPTU Machine ETPU Moulding Machine