Physical security is a very important and often overlooked piece of the information security puzzle. The diagram below shows how Physical Assets fit in:
Many organizations try to ensure that their information is safe from a digital attack, and they should. However, what happens if the attacker can walk into the facility unchecked and walk out with a backpack full of sensitive information that was sitting in an unlocked filing cabinet? As a member of the SecureState Profiling Team, I perform Physical Penetration Tests, and they are always eye-opening experiences. These are just some of the things to be aware of at your organization.
1. Attached Parking Garages
- These garages are often publicly accessible and not guarded or monitored. They can provide unauthorized access to internal areas of your facility.
On past assessments we have used attached parking garages to great success. It is very convenient for us to park and take the elevator down to the lobby of your facility. While walking out to the street we can notice camera locations, guard stations, etc. When going back to the car we have another opportunity to notice additional things. These garages are also a great place to sit quietly and observe employees coming and going. Many times we overhear a sensitive conversation or get a good look at an employee ID which we can use later.
2. Unprotected stairwells
- Internal stairwells should be locked or be protected by some form of access control (access card or code).
On a recent assessment we initially used the elevators to move between floors. However due to heavy employee activity on the elevators, we opted to exit at the next stop and proceeded to use the internal stairwell to move around. We had unchecked access to every floor, including the roof. Had the stairwells been access controlled, we would have been forced to have much more interaction with employees and would have been more likely to be noticed.
3. Employee Awareness
- Employees need to be aware of their surroundings. They should be mindful of tailgating into protected areas.
- Employees should challenge anyone who requests access to protected areas by checking or looking for IDs and verifying visitors with a supervisor. Many companies fail to implement a policy that requires employees to wear their badges so they are able to be seen.
This is something we are able to take advantage of on just about every Physical Penetration Test. Most people are quick to hold the door for whoever is behind them, even if they don’t recognize them. We even had an employee from behind the doors open them for us and ask if we needed in. On another assessment, we were stopped by multiple employees in different parts of the facility. We were briefly questioned but never asked to supply any ID, and they never called their supervisor to verify our stories all because they didn’t want any conflict.
4. Unprotected Hard Copies of Sensitive Information
- Lock the filing cabinets.
- Don’t leave confidential information unsecured and easily viewed.
This seems like a no-brainer. Don’t leave documents with sensitive internal procedures or PII / PHI on your desk unattended. Furthermore, if you store paper documents in a filing cabinet, keep it locked. People are much more likely to notice a person trying to pick the lock on a filing cabinet as opposed to just walking up and opening it.
5. Inattentive / Ineffective Security Guards
- Guards should be making rounds and actively watching cameras.
- Guards should be periodically tested to ensure they are doing their job.
On our most recent assessment, we were able to walk right through the front door because the guard was on their lunch break. While moving through the building we did not encounter any guards making rounds. In fact, we did not encounter any guards until we left the building, again through the front door. Had the guards been making rounds through the building, or watching the security cameras, they probably would have noticed some of the things we were doing.
Many of these concerns are directly related to convenience. It may be a small burden to badge in and out of office areas and stairwells or to require a key for access to storage, but that extra step can go a long way towards improving the security in your organization. Additionally, it may be your corporate culture to hold the door for people entering behind you, or not to challenge visitors who are in protected areas. Those polite gestures can come with a risk, and there should be a corporate policy in place to address these things.
We are able to complete our assignments easily due to these and other issues, all of which could be prevented quickly and with relative ease. Had we been real attackers, the target organizations would have suffered very tangible losses that they would not have been immediately aware of.
Principles which apply to network and application security also apply to physical security. Vulnerabilities need to be identified and verified, and risks need to be mitigated. SecureState offers both a Physical Attack and Penetration Test and a Physical Security Assessment. Both of these offerings can help find the risks that can affect your organization and a path to mitigate them.