As kids, we protected our most sensitive information in a journal that could be unlocked with a flimsy gold key. We kept valuable assets like baseball cards and arrowheads in a box secured with a combination lock. Then, we might hide said journal or box in the back of the closet or under the bed for an added layer of security. It might have kept malicious parties (like prying siblings) at bay back then, but regrettably, these tactics are insufficient in the professional world.
Today, to protect sensitive data, we enlist cyber security tactics such as password protections, firewalls, and cryptography. Yet that impulse for added security remains a good one, as it’s essential to pair strong data security with proper physical security controls.
Nevertheless, the truth is that even with high-tech locks, endless sensors and cameras, and personnel safeguarding assets, physical security too can easily be compromised allowing theft of information, access to physical plant systems, installation of malicious software and more.
Consider some of the examples shared in Carnegie Mellon University’s case studies:
- A contract programmer tricked a janitor into unlocking another employee’s office after hours by switching the nameplates on the door and asking to be let into “his” office. With access to the colleague’s workstation, he was able to download sensitive source code onto removable media and take it with him to a competitor.
- Showing an expired ID badge to a security guard, a former employee gained access to a data backup facility and unplugged the cameras before stealing backup tapes with records for up to 80,000 employees.
- Using a key to a hospital heating, ventilation, and air conditioning computer, a contract employee used password-cracking software to access and install malicious software on the machine.
All of these are examples where physical security controls failed well before any virtual ones. In this article, we’ll delve deeper into understanding whether your company’s physical security is actually sufficient, and how to improve it.
How security is compromised
Physical security threats can be internal or external, and even those team members specifically tasked with monitoring vulnerabilities can be undermined.
Employees, with their knowledge of layouts, asset location, and ability to access sensitive information, are an example of an internal threat. The best access control, intrusion detection, or auditing systems are all the more difficult to secure against.
Related: Danger In Your Ranks: 7 Times Employees Caused Damaging Data Breaches
On the other hand are external threats. To determine the risk level at a given target, consultants will typically try passive reconnaissance, open source intelligence, active reconnaissance and more.
In seeking to compromise physical security, a malicious party needs to overcome multiple layers of protection:
- Administrative controls such as site location, facility design and emergency response.
- Physical controls including perimeter security, intrusion alarms, motion detectors.
- Technical controls including smart cards or proximity readers storing permissions controlling access to a secured room.
Yet these multiple layers of defense can be bypassed with determination, patience, and, sometimes, simply a smile.
Let’s talk first about passive reconnaissance. This is a kind of recon that gathers information about a target without detection. As a result, there’s no direct contact when profiling the target.
Instead, the party doing the reconnaissance would use archived or stored information about the target gathered from third party sources to learn all that they can about an organization from information in the public domain.
Sometimes the bad actors might even dumpster dive (a tactic we’ve been known to use ourselves!) for information about an organization that wasn’t shredded or disposed of effectively.
The goals of passive reconnaissance include:
- Identifying IP addresses and sub-domains to focus the scope of the other activities by identifying the server environment, net ranges and sub-domains associated with the target.
- Identifying external/3rd party sites to help understand the relationship of the target with other sites, which can also help determine direct or indirect organizational relationships.
- Identify people who can prove useful in social engineering activities.
- Identifying technologies to discover vulnerabilities such as outdated operating systems or an unsupported software application.
- Identifying content of interest such as potential access points (perhaps an externally facing web portal or webmail), sensitive login credentials, client-side code or backup files.
Open Source Intelligence
Accomplishing the malicious objective can be easier with open source intelligence (OSINT). OSINT takes advantage of publicly available sources to gather as much information as possible about a target. With open source intelligence tools that might aggregate data about individuals, extract metadata information, or identify the network hardware at the target site, the person with ill intent can mine data from the Web looking for possible matches to his or her target. This information can be used to directly breach the target.
For instance, a few years ago, a UK cyber security researcher found more than 7,500 industrial devices linked to the Internet, and fewer than 20% of them required password access. How’d he find them? Simply by using a public search engine.
Another example is an online framework that harvests person-specific information such as social network activity, contact emails and phone numbers, and other identifying information. This could then be used to convince a target that the person contacting them is a friend rather than a foe. This might enable phishing attacks, vishing (calling to fish for information), or onsite social engineering.
Active recon sees the bad actors using online tools to find out IP addresses for routers and identify firewalls that protect target hosts. The aim is to identify which services are enabled on the hosts, map software, and scan for vulnerabilities.
Since these technical tools discover information on active networks, this activity is much easier to detect. One author compared it to a criminal walking past a house she wants to burglarize (passive recon) versus the criminal looking into the windows of the house to see what she wants to take from inside (active recon). It’s a great analogy!
With active recon, the attack is more likely to be effective with the added information gained helping to focus what type of approach to take.
Then, There’s The Human Element
As we’ve discussed before, one of the biggest tools for bad actors is our very human impulse to trust others. Another is our willingness to help another person in need.
Social engineering would see our would-be burglar from earlier actually getting invited into the house by the target himself. Remember the old kids’ movie Home Alone? The criminals do the very same thing by knocking doors in his target neighborhood dressed as a cop warning people to be extra careful over the holidays. The targets blithely inform him of their vacation plans and he’s better able to focus his efforts. Social engineering at its finest!
In the case of cyber security, a malicious hacker might come on-site pretending to be a representative of the target’s IT service provider. They might drop the name of someone from the organization and ask to see the servers to address a speed issue, but regret that they don’t have the work order at hand. An assistant wanting to help a fellow worker who claims he’d have to go back to the office to grab the “measly piece of paper” might decide to let verification slide—just this once.
But that one lapse in judgement is all the attacker needs to get a clear sense of the target. The individual can check out the site security, identify what precautions will need to be taken, and can sometimes even spot passwords that people have so helpfully placed beside their desks on brightly colored sticky notes (sound familiar?).
The person with ill intent may not even need to enter the target organization to get the information he needs to circumvent your locks, cameras, and other physical security controls. With one vishing call claiming to be an overworked assistant to a CIO at a partner organization, using information about the targeted individual gleaned from OSINT, a person could convince another trusting soul to share sensitive data over the phone.
Not to mention the reverberations of human error. Someone leaves a door unlocked or leaves it ajar to afford easier access when carrying in heavy boxes. Or an employee misplaces a keycard. Or opens the door for an unauthorized employee to walk through when that person’s hands are full or she’s apparently “forgotten” her card inside. Or an employee easily accesses another person’s workstation. The list goes on, but we can bet you’ve done at least one of these on one or more occasion. All of them contribute to weakened physical security controls.
Test Your Physical Security
Don’t wait for a breach to find out about your own physical security flaws. RedTeam Security’s physical penetration testing measures existing controls and uncovers weaknesses through real-world simulations.
Our highly-trained security consultants attack apparently secure environments to identify ways in which physical barriers can be compromised and identify flaws that can provide unauthorized access to sensitive areas which can lead to data breaches or system/network compromise.
Need to see it for yourself? Earlier this year we showed you firsthand the absence of rigorous security at a power grid substation, which our team was able to exploit.
Don’t worry, though, we don’t just identify physical security flaws and leave you hanging, scared. Our comprehensive follow-up report and remediation staff help you fully leverage our physical penetration test to proactively bolster your physical security controls in the future.
10-Point Offensive Security Checklist
Get A Bird's Eye View Of Your Organization's Security Readiness