As kids, we protected our most sensitive information in a journal that could be unlocked with a flimsy gold key. We kept valuable assets like baseball cards and arrowheads in a box secured with a combination lock. Then, we might hide said journal or box in the back of the closet or under the bed for an added layer of security. It might have kept malicious parties (like prying siblings) at bay back then, but regrettably, these tactics are insufficient in the professional world.
Today, to protect sensitive data, we enlist cyber security tactics such as password protections, firewalls, and cryptography. Yet that impulse for added security remains a good one, as it’s essential to pair strong data security with proper physical security controls.
Nevertheless, the truth is that even with high-tech locks, endless sensors and cameras, and personnel safeguarding assets, physical security too can easily be compromised allowing theft of information, access to physical plant systems, installation of malicious software and more.
Consider some of the examples shared in Carnegie Mellon University’s case studies:
All of these are examples where physical security controls failed well before any virtual ones. In this article, we’ll delve deeper into understanding whether your company’s physical security is actually sufficient, and how to improve it.
Physical security threats can be internal or external, and even those team members specifically tasked with monitoring vulnerabilities can be undermined.
Employees, with their knowledge of layouts, asset location, and ability to access sensitive information, are an example of an internal threat. The best access control, intrusion detection, or auditing systems are all the more difficult to secure against.
Related: Danger In Your Ranks: 7 Times Employees Caused Damaging Data Breaches
On the other hand are external threats. To determine the risk level at a given target, consultants will typically try passive reconnaissance, open source intelligence, active reconnaissance and more.
In seeking to compromise physical security, a malicious party needs to overcome multiple layers of protection:
Yet these multiple layers of defense can be bypassed with determination, patience, and, sometimes, simply a smile.
Let’s talk first about passive reconnaissance. This is a kind of recon that gathers information about a target without detection. As a result, there’s no direct contact when profiling the target.
Instead, the party doing the reconnaissance would use archived or stored information about the target gathered from third party sources to learn all that they can about an organization from information in the public domain.
Sometimes the bad actors might even dumpster dive (a tactic we’ve been known to use ourselves!) for information about an organization that wasn’t shredded or disposed of effectively.
The goals of passive reconnaissance include:
Accomplishing the malicious objective can be easier with open source intelligence (OSINT). OSINT takes advantage of publicly available sources to gather as much information as possible about a target. With open source intelligence tools that might aggregate data about individuals, extract metadata information, or identify the network hardware at the target site, the person with ill intent can mine data from the Web looking for possible matches to his or her target. This information can be used to directly breach the target.
For instance, a few years ago, a UK cyber security researcher found more than 7,500 industrial devices linked to the Internet, and fewer than 20% of them required password access. How’d he find them? Simply by using a public search engine.
Another example is an online framework that harvests person-specific information such as social network activity, contact emails and phone numbers, and other identifying information. This could then be used to convince a target that the person contacting them is a friend rather than a foe. This might enable phishing attacks, vishing (calling to fish for information), or onsite social engineering.
Active recon sees the bad actors using online tools to find out IP addresses for routers and identify firewalls that protect target hosts. The aim is to identify which services are enabled on the hosts, map software, and scan for vulnerabilities.
Since these technical tools discover information on active networks, this activity is much easier to detect. One author compared it to a criminal walking past a house she wants to burglarize (passive recon) versus the criminal looking into the windows of the house to see what she wants to take from inside (active recon). It’s a great analogy!
With active recon, the attack is more likely to be effective with the added information gained helping to focus what type of approach to take.
As we’ve discussed before, one of the biggest tools for bad actors is our very human impulse to trust others. Another is our willingness to help another person in need.
Social engineering would see our would-be burglar from earlier actually getting invited into the house by the target himself. Remember the old kids’ movie Home Alone? The criminals do the very same thing by knocking doors in his target neighborhood dressed as a cop warning people to be extra careful over the holidays. The targets blithely inform him of their vacation plans and he’s better able to focus his efforts. Social engineering at its finest!
In the case of cyber security, a malicious hacker might come on-site pretending to be a representative of the target’s IT service provider. They might drop the name of someone from the organization and ask to see the servers to address a speed issue, but regret that they don’t have the work order at hand. An assistant wanting to help a fellow worker who claims he’d have to go back to the office to grab the “measly piece of paper” might decide to let verification slide—just this once.
But that one lapse in judgement is all the attacker needs to get a clear sense of the target. The individual can check out the site security, identify what precautions will need to be taken, and can sometimes even spot passwords that people have so helpfully placed beside their desks on brightly colored sticky notes (sound familiar?).
The person with ill intent may not even need to enter the target organization to get the information he needs to circumvent your locks, cameras, and other physical security controls. With one vishing call claiming to be an overworked assistant to a CIO at a partner organization, using information about the targeted individual gleaned from OSINT, a person could convince another trusting soul to share sensitive data over the phone.
Not to mention the reverberations of human error. Someone leaves a door unlocked or leaves it ajar to afford easier access when carrying in heavy boxes. Or an employee misplaces a keycard. Or opens the door for an unauthorized employee to walk through when that person’s hands are full or she’s apparently “forgotten” her card inside. Or an employee easily accesses another person’s workstation. The list goes on, but we can bet you’ve done at least one of these on one or more occasion. All of them contribute to weakened physical security controls.
Don’t wait for a breach to find out about your own physical security flaws. RedTeam Security’s physical penetration testing measures existing controls and uncovers weaknesses through real-world simulations.
Our highly-trained security consultants attack apparently secure environments to identify ways in which physical barriers can be compromised and identify flaws that can provide unauthorized access to sensitive areas which can lead to data breaches or system/network compromise.
Need to see it for yourself? Earlier this year we showed you firsthand the absence of rigorous security at a power grid substation, which our team was able to exploit.
Don’t worry, though, we don’t just identify physical security flaws and leave you hanging, scared. Our comprehensive follow-up report and remediation staff help you fully leverage our physical penetration test to proactively bolster your physical security controls in the future.
Ready to get started? We’d love to talk more about how RedTeam Security can help secure your business. Select a time that works best for you by clicking here.