But for all of the stringent perimeter security that can be found overseas, Milam has found that social engineering has proven to be an effective way to circumvent those measures, and cultural differences are often a factor in his team's success. He mused about the time an American company requested he and his team at Accuvant attempt to access their warehouses in Japan, and how easy it was for them to essentially walk right in.
"It's basically two American boys who don't speak a lick of the language," says Milam. "But once we got to Japan, we found that they're taught to be helpful and respectful and not always question people. They're going to want to help us instead of asking directly, 'What are you doing here?'"
Milam went on to explain that, like with every physical security pen test, he and his team did prior research and preparation. But in this particular case, he and his partner had it easy: they were able to find pictures of the company's employee and contractor badges online. So, after printing out fake badges, Milam went over to Japan with a falsified letter saying he was coming from an American company and to be given access to the facility.
"We played the role of dumb Americans while we were there," he says. "We got cars from the hotel, stepped out of a Mercedes at the [target] building, and nobody questions us. They just let us into the secure environment. One door in, one door out. We took pictures of ourselves with our arms around the guard at the end."
To further ensure that the warehouse security would have to venture out of their comfort zones to question Milam's authority, he made sure to arrive at the site when it was 3 AM back in the US, where the company's headquarters (where he was ostensibly sent from) are located. If any of the guards wanted to call and confirm that Milam was actually supposed to be there, they would have to drag somebody out of bed -- and it appears that none of them were willing to do that.
"What we found was a submissive environment, they never want to seem disrespectful in any way, shape, or form," says Milam, who adds that he encountered the same type of environment while pen testing the same company's warehouses in China. "They didn't want to disrespect us because we looked like we had the proper badges. They weren't used to having someone from the US come over, and here we were with our friendly faces and big badges."
In some cases, even the badges weren't necessary; peoples' reticence to challenge what Milam was doing at their building was more than enough. He mentions a time he was hired to infiltrate an oil refinery company's building in Holland and how, due to the use of man traps -- where you swipe a badge, step into a tube, get scanned, step out the other side -- he couldn't just walk right in.
Sign up for CIO Asia eNewsletters.