Physical security is a very important, yet an often-overlooked element to a company’s overall security program. Even if your organization has strict IT security controls in place, yet neglects strengthening their physical access controls, an attacker could potentially walk through your organization’s front door and gain physical access to your server, or steal an unattended, unlocked laptop or mobile device that an employee left on their desk – granting them access to sensitive data.
While having strong IT security in place to secure sensitive data on devices and networks is critical, ensuring your organization practices strong physical security is equally important. Organizations need to prevent attackers from being able to walk in – either by tailgating, emulating a badge, or by bypassing two-factor authentication – and walking out with data, systems, physical documents, or worse – a new connection to your network as a persistent threat.
During our physical penetration assessments, we tend to focus on the security guards. We’ll impersonate an employee, contractor, or auditor, and convince the guard to allow us access through many different means, including handing over their keys to let us into a restricted area – because we’re “performing badge or hardware inventory”, or whatever our excuse is that fits the company best.
Whether we’re putting on a smile to tailgate behind a friendly employee, or we’re acting frustrated or lost – we try and play on the human element. The human element – the compassion and willingness to help or mitigate a situation – can be the strongest or weakest layer of security. We will also make things uncomfortable when needed, as most people tend to avoid confrontation.
The biggest weapon an organization has against social engineering attacks are well-trained employees that have passed useful security awareness training. You must teach your employees the importance of asking questions, flag suspicious interactions with unfamiliar faces to building authorities, and know how to properly escalate those situations to the correct department. Employees cannot be passive in high-security zones – they must be actively looking for things that are out of place – otherwise, attackers will have the space and time needed to bypass security systems.
There are quite a few tools that attackers can use to bypass physical security systems and gain access to your data center, your building, or even your executive’s office that can be ordered by anyone from popular online retail stores. There are sophisticated tools – such as badge cloners available – but most of the tools that attackers commonly use can be created from materials at a hardware or crafts store. For example, canned air can be used to bypass a request-to-exit sensor, and attackers can even fashion their own ‘under the door’ tool from combining common hardware gauged wire and a string.
In our experience, we’ve been able to easily exploit the weaknesses of a door that’s not been configured correctly with just a piece of thin, flexible plastic. Attackers don't need to have a locksmithing license or any special training to purchase tools that can be detrimental to your security controls.
It’s a cat and mouse game between attackers and security professionals, but when it comes to physical security, it's the people and the “daily grind” mentality that are often the easiest to exploit.
Technology changes, but people don't. When it comes to gaining access to a facility, attackers don't have to sit there and try to clone a badge. Most of the time, they’ll just follow you in – should you hold the door for them politely – and that weakness has been around since the dawn of time, or since the dawn of doors.
Some organizations have highly secured facilities with armed security guards, two-factor physical access controls, retinal scanners, pin pads, badges – very expensive security setups. Organizations must ensure those systems are installed by specialty professionals, or else it’s a waste of money if they can be bypassed with some cheap, creative uses of everyday office or crafting supplies.
But regardless of all the bells and whistles – whether they’re installed properly or not – a good majority of your physical security posture relies on training. Are your employees and your building personnel trained to look for and question occurrences and ‘staff’ that seem out of place?
We highly recommend frequently auditing your physical security posture, reassessing your approach, and bringing in expert professionals to give your employees the training they need to mitigate physical security attacks. The safety of your organization and your customers’ sensitive data could depend on it.
Tim and Brent will be presenting at next week's InfoSec World Conference & Expo in Orlando, Florida. Here's everything you need to know about their talk.