Working on your company’s virtual IT security isn’t the only piece of the Information Security jigsaw puzzle. Whilst the bulk of your technical teams’ efforts should be filling in the centre of the jigsaw with things like firewalls, monitoring, endpoint protection, security testing, and more; an organisation's physical security can often get left behind. Whilst the centre of the puzzle is critical to your overall security infrastructure, if the little things like an unlocked server room or unauthorised access to the building are overlooked, then the whole security operation is jeopardised.
Below, we’ll step into the shoes of one of our expert Penetration Testers to find out his experiences with physical security failures and evaluate what went wrong, as well as what physical security measures need to be implemented to ensure a holistic cybersecurity plan is in place.
Stepping into the shoes of a Penetration Tester
"Throughout my time at LRQA Nettitude, I have performed many physical security penetration tests. I have accessed vacant buildings, regular office blocks, multi-tenanted office buildings with managed receptions, and industrial sites; all to plug a laptop into the network, or plant a rogue device controlled by 4G into a network port somewhere and walk away."
"One of the most common misconceptions is that many people assume that when you say cybersecurity, it involves complex digital testing methods that only an IT expert would understand. Whilst part of the job is highly technical and involves complex penetration testing procedures, there are also several simple exercises involved that test the physical security of an organisation and the strength of the people who uphold these security protocols."
Such exercises can include:
- Physically entering an organisation without permission.
- Obtaining critical security information from a member of the organisation through social interaction.
- Gaining access to an internal system without permission once inside the building.
Who is responsible for physical security measures?
One of the main problems we see for information security managers with physical security is that it often falls just outside their sphere of influence. Whilst security is everyone’s responsibility, the employees in your business who are best poised to stop or detect an intruder are the front-of-house staff and security guards.
Imagine the scene - Someone turns up to your office and pretends to be you; they know you work at the firm because they looked you up in your company’s employees on LinkedIn. “Hi I’m <your name here>, I’m the head of IT-based at another office but working locally this afternoon, have you got a desk for the morning until my super important meeting?”. The receptionist checks your name on the company directory; signs the intruder in as you, gives them the fire escape brief, makes them some tea, and then puts them in the conference room that directly accesses your switch room. The door to the switch room has a weak lock that can be opened with a credit card, with ample available functioning ports for a rogue device, and with the bonus of there being plenty of spare plug sockets to power it. Sounds like a ridiculous scenario? This is just one example of the actual result of a physical security penetration test performed by Nettitude.
This example shows that whilst the scenario seems unlikely, it is a possibility and demonstrates just how easy it is for a malicious body to gain access to your systems. In this case, the responsibility falls on front-of-house staff, including reception staff and front-of-house security.
Exploring additional physical security control vulnerabilities
Other examples of physical security control breaches include:
- Impersonating support engineers from utility firms who had no business being in the building.
- Tailgating into a building wearing the right coloured lanyard.
- Tampering with the sensors on an unmonitored “exit-only” door so that they open.
- Plugging something into the VOIP phone of an unattended reception.
It’s not just your office locations that are vulnerable, often donning a shirt and tie with a high visibility jacket is enough to allow an intruder to walk right into a company’s warehouse; the shirt and tie make the warehouse staff think it must be management, the high visibility jacket makes management think it's warehouse staff. In all scenarios, the bad guy just needs a half-decent cover story and not be challenged to succeed.
Minimising the risk
There are many ways into your buildings, and it’s not just your office locations you need to consider. Can you be certain that your staff would properly establish the identity of an intruder? Would your office staff have the confidence to politely challenge an unaccompanied stranger not wearing an ID badge?
LRQA Nettitude can test this for you and tell you whether or not your physical security controls and company security culture are up to scratch; if they’re not, you’ll have solid evidence to engage with your organisation to move forward and improve.