By David Lenehan | Managing Principal Security Consultant at Nettitude
Working on your company’s virtual IT security isn’t the only piece of the Information Security jigsaw puzzle. Whilst the bulk of your technical teams’ efforts should be filling in the centre of the jigsaw with things like firewalls, monitoring, endpoint protection, security testing, and more; an organisation's physical security can often get left behind. Whilst the centre of the puzzle is critical to your overall security infrastructure, if the little things like an unlocked server room or unauthorised access to the building is overlooked, then the whole security operation is jeopardised.
Below, we’ll step into the shoes of one of our expert Penetration Testers to find out his experiences with physical security failures and evaluate what went wrong, as well as what physical security measures need to be implemented in order to ensure a holistic cybersecurity plan is in place.
Stepping into the shoes of our Pen Tester David
‘Throughout my time at Nettitude I have performed a number of physical security penetration tests. I have accessed vacant buildings, regular office blocks, multi-tenanted office buildings with managed receptions, and industrial sites; all with the aim of plugging a laptop into the network, or planting a rogue device controlled by 4G into a network port somewhere and walking away’.
‘One of the most common misconceptions is that many people assume that when you say cybersecurity, it involves complex digital testing methods that only an IT expert would understand. Whilst part of the job is highly technical and involves complex penetration testing procedures, there are also a number of simple exercises involved that test the physical security of an organisation and the strength of the people who uphold these security protocols’.
Such exercises can include:
- Physically entering an organisation without permission.
- Obtaining critical security information from a member of the organisation through social interaction.
- Gaining access to an internal system without permission once inside the building.
Whose responsibility for physical security measures?
One of the main problems we see for information security managers with physical security is that it often falls just outside their sphere of influence. Whilst security is everyone’s responsibility, the employees in your business who are best poised to stop or detect an intruder are the front of house staff and security guards.
Imagine the scene - Someone turns up to your office and pretends to be you; they know you work at the firm because they looked you up in your company’s employees on LinkedIn. “Hi I’m <your name here>, I’m the head of IT based at another office but working locally this afternoon, have you got a desk for the morning until my super important meeting?”. The receptionist checks your name on the company directory; signs the intruder in as you, gives them the fire escape brief, makes them some tea, then puts them in the conference room that directly accesses your switch room. The door to the switch room has a weak lock that can be opened with a credit card, with ample available functioning ports for a rogue device, and with the added bonus of there being plenty of spare plug sockets to power it. Sounds like a ridiculous scenario? This is just one example of the actual result of a physical security penetration test performed by Nettitude.
This example shows that whilst the scenario seems unlikely, it is a possibility and demonstrates just how easy it is for a malicious body to gain access to your systems. In this case, the responsibility falls with front of house staff, including reception staff and front of house security.
Exploring additional physical security control vulnerabilities
Other examples of physical security control breaches include:
- Impersonating support engineers from utility firms who had no business being in the building.
- Tailgating into a building wearing the right coloured lanyard.
- Tampering with the sensors on an unmonitored “exit-only” door so that they open.
- Plugging something into the VOIP phone of an unattended reception.
It’s not just your office locations that are vulnerable, often donning a shirt and tie with a high visibility jacket is enough to allow an intruder to walk right into a company’s warehouse; the shirt and tie make the warehouse staff think it must be management, the high visibility jacket makes management think it's warehouse staff. In all scenarios, the bad guy just needs a half decent cover story and to not be challenged in order to succeed.
Minimising the risk
There are many ways into your buildings, and it’s not just your office locations you need to consider. Can you be certain that your staff would properly establish the identity of an intruder? Would your office staff have the confidence to politely challenge an unaccompanied stranger not wearing an ID badge?
Nettitude can test this for you and tell you whether or not your physical security controls and company security culture are up to scratch; if they’re not, you’ll have some solid evidence to engage with your business to move forward with tightening things up.
Want to find out more about how Nettitude can evaluate the effectiveness of your organisation’s physical security measures? Please don’t hesitate to get in touch with the local team or discover more about how physical security penetration testing can bolster your business’s security.