SecureState’s Profiling Team conducts dozens of Physical Attack and Penetration assessments for a wide range of companies every year. While the results vary somewhat, the typical engagement reveals numerous high and extreme vulnerabilities. Most of these vulnerabilities center around human nature being at odds with the goals of a company’s physical security. The simple fact is people tend to hold doors open (even key card secured doors to sensitive areas). They tend to want to help out. They don’t want to be perceived as rude.
While this provides plenty of attack vectors for malicious individuals, it really isn’t all that surprising. While companies make various degrees of effort to educate their employees about the importance of physical security best practices, that is not the core function these employees were hired to perform. That is why many companies employ dedicated security personnel. However, as a recent engagement for a large organization clearly demonstrated, security personnel are no less vulnerable to attacks.
Some examples of security failings include:
- SecureState noted a loading dock that was used for contractor entrance and exit only. The main loading dock entrance door was equipped with a security card badge reader as well as an intercom system. Having no means to open the secured door, a SecureState consultant picked up a 50 pound bag of sidewalk salt that was sitting in the loading dock parking lot, and proceeded towards the access controlled door located in the loading dock. Once at the door, the SecureState consultant signaled the guard on duty, and pointed to the bag of salt on his shoulder. The guard then remotely unlocked the door. After going through the loading dock door, the SecureState consultant set the bag of salt down on a pallet in the hallway and walked past the guard station without signing in.
- A SecureState consultant located a large “Confidential Information” blue shred bin, wheeled it into the maintenance elevator, out the employee entrance, and into the parking lot to load it into his car. A security guard approached the SecureState consultant and asked if he was allowed to take the blue “Confidential Information” shred bin. The SecureState consultant affirmed he was allowed to take the bins to the loading dock for shredding. The guard then informed the consultant he could use the maintenance elevator to get to the loading dock, and offered to show him where it was. The security guard used his own access control badge to allow the SecureState consultant with the blue shred bin back into the office building. The security guard escorted the SecureState consultant to the maintenance elevator. The security guard helped the SecureState consultant navigate through the basement of the building to the paper shredding room. The SecureState consultant was then informed, by the employee in charge of receiving the shred bins, that a form was required before the bin contents could be shredded. At this point the SecureState consultant informed the security guard he needed to take the blue shred bin back up to the 3rd floor to get the form. The security guard allowed the SecureState consultant to take the blue shred bin, unescorted, back to the employee elevators located in the basement. The SecureState consultant then traveled to the 1st floor and left the building again. This time the SecureState passed the guard in the lobby and exited the building without further questioning. The consultant loaded the bin into the car and drove to the edge of the parking lot, so that the information did not leave the location. Once a safe distance away, he prepared to picked the lock and removed confidential documents. However, he noted that the gap in the bin was large enough to reach in and retrieve the documents, as shown below.
The takeaway from this engagement is to not let employing security guards lull your organization into a false sense of security. The bottom line is large scale physical attacks do not happen every day. As such, even security guards get comfortable. They relax. They assume the best of people and try to help out.
The key failings in this instance were a lack of formal policies and procedures that would require clear identification from any outsider. That would not allow contractors (or perceived contractors) unescorted access to buildings containing sensitive data. And certainly, no security guard should allow unidentified individuals to walk out the front door with a large bin of confidential material.