In the context of cyber and information security, physical breaches usually conjure up images of laptops or USB sticks left on trains or unattended documents being taken. Physical break-ins to offices are often overlooked and not linked to cyber crime. It is difficult to quantify how common such breaches are as they tend to be less well-detected, but gaining unauthorised access to a building can be easier than hacking into a network remotely.
While the risks involved with physical security breaches are generally not worth the rewards for casual opportunists, for organised gangs or a motivated skilled attacker, a physical breach can provide powerful ‘foot in the door’ and onward access to the internal network.
Gaining access to a building does not necessitate an out-of-hours break-in. For every business, there are third-parties who are expected to enter offices and buildings for various purposes; landlord inspections, fire alarm maintenance, health and safety audits, cleaning of drinks dispensers, candidates coming in for interviews or suppliers arranging meetings with purchasers. The list is long and any of these could be used as a cover story for access by an adversary who wanted to gain access to an office.
The ‘high-vis’ effect is a well-known tactic. An individual in a high-vis jacket, who looks like they know where they are going, tends not to be challenged since there is automatic authority imbued within the reflective vest. Similar effects are seen with any kind of health and safety or audit requirement – these are activities employees don’t want to obstruct.
Tailgating is another very common problem. Even for businesses with card-based access control on all doors, it is relatively easy to follow authorised personnel into restricted areas. Sometimes they will even hold the door open for you. There is social pressure to be polite and closing a door in someone’s face is just plain rude, so many people can’t bring themselves to do it.
To address these potential weaknesses, companies are Increasingly asking penetration testing providers to check out their physical defences during a simulated targeted attack – or ‘Red Team’ exercise. Frequently, this includes an element of physical social engineering to gain access to the premises to plant malicious devices or retrieve sensitive information.
“When we are simulating a physical attack, we will choose a scenario which gives us a pretext for gaining access, gather a few props ordered from the internet, and possibly make up some fake identity badges,” says Gemma Moore, director at cyber security consultancy Cyberis.
“PAT testing is one we use often, since it’s a common health and safety requirement upon which a client might be audited and it also gives us an excuse to interact with equipment such as user workstations and network switches. We are generally very successful at gaining access with these tactics – sometimes we are able to talk our way past reception, sometimes we are able to tailgate into secured offices and sometimes we are able to call in advance and make an appointment. We are rarely challenged by employees once we have gained access to an office past the front door.”
>See also: Building a security programme that works
“Once inside, we might look to install a device onto the internal network, which would ‘phone home’ to us and give remote access,” adds Moore. “These devices are rarely detected once they have been installed and malicious activity inside a network is detected much less often than malicious activity which occurs across the perimeter. Alternatively, we might look to retrieve a piece of equipment, such as a laptop, or some paperwork of a sensitive nature. Of course, we do this with the knowledge and consent of our customers and we keep that data safe.”
Are organisations doing enough?
Organisations certainly consider physical security, but in many cases, they underestimate the ease with which somebody who is motivated can gain access to their premises. Most people assume that they will be able to spot a liar, or a criminal, but this is not the case. Somebody who is friendly, personable, smart and polite is quite capable of talking their way into a number of situations.
User awareness is key for protection and any organisation that wants to defend against physical attacks needs to encourage robust processes for allowing access to offices and ensuring visitors are properly escorted.
It is very difficult to defend against these attacks, as social norms tend to help attackers attempting this kind of social engineering. Employees need to be willing to challenge visitors if they are suspicious and have escalation routes they can use if they are concerned about any strangers in the office.
Monitoring internal networks as thoroughly as external networks for anomalies is also important, but this is often a big challenge for SMEs with limited resources within their IT teams to configure and review such monitoring.
Performing an employee awareness campaign and demonstrating first-hand the ease and danger of physical security breaches is a great way to engage an entire organisation. It rarely occurs to the population of employees that the PAT tester dressed in a branded, embroidered fleece of a fictional company and carrying a full PAT testing kit, might be anything other than legitimate.
Sourced by Gemma Moore, director at cyber security consultancy Cyberis