Interviews

Two feet in the door

by Mark Rowe

Some cyber attacks walk in on two feet, writes Gemma Moore, pictured, director at cyber security consultancy Cyberis. She examines the threat of physical security breaches and whether organisations are doing enough to protect themselves.

In the context of cyber and information security, physical breaches usually conjure up images of laptops or USB sticks left on trains or unattended documents being taken. Physical break-ins to offices are often overlooked and not linked to cyber crime. It is difficult to quantify how common such breaches are as they tend to be less well-detected, but gaining unauthorised access to a building can be easier than hacking into a network remotely.

While the risks involved with physical security breaches are generally not worth the rewards for casual opportunists, for organised gangs or a motivated skilled attacker, a physical breach can provide powerful ‘foot in the door’ and onward access to the internal network.

Gaining access to a building does not necessitate an out-of-hours break-in. For every business, there are third-parties who are expected to enter offices and buildings for various purposes; landlord inspections, fire alarm maintenance, health and safety audits, cleaning of drinks dispensers, candidates coming in for interviews or suppliers arranging meetings with purchasers. The list is long and any of these could be used as a cover story for access by an adversary who wanted to gain access to an office.

The ‘high-vis’ effect is a well-known tactic. An individual in a high-vis jacket, who looks like they know where they are going, tends not to be challenged since there is automatic authority imbued within the reflective vest. Similar effects are seen with any kind of health and safety or audit requirement – these are activities employees don’t want to obstruct.

Tailgating is another very common problem. Even for businesses with card-based access control on all doors, it is relatively easy to follow authorised personnel into restricted areas. Sometimes they will even hold the door open for you. There is social pressure to be polite and closing a door in someone’s face is just plain rude, so many people can’t bring themselves to do it.

At Cyberis, we are often asked to do penetration tests to check out a company’s defences during what we call a simulated targeted attack – or ‘Red Team’ exercise. Frequently, this includes an element of physical social engineering, whereby we gain access to our customer’s premises to plant malicious devices or retrieve sensitive information.

When we are simulating a physical attack, we will choose a scenario which gives us a pretext for gaining access, gather a few props ordered from the internet, and possibly make up some fake identity badges, etc. PAT testing is one we use often, since it’s a common health and safety requirement upon which a client might be audited and it also gives us an excuse to interact with equipment such as user workstations and network switches. We are generally very successful at gaining access with these tactics – sometimes we are able to talk our way past reception, sometimes we are able to tailgate into secured offices and sometimes we are able to call in advance and make an appointment. We are rarely challenged by employees once we have gained access to an office past the front door.

Once inside the office, our actions are then dictated by our goals. We might look to install a device onto the internal network, which would ‘phone home’ to us and give remote access. These devices are rarely detected once they have been installed, because perimeter controls tend to be far more mature than internal controls for most businesses. Malicious activity inside a network is detected much less often than malicious activity which occurs across the perimeter, as in the case of most malware. Alternatively, we might look to retrieve a piece of equipment, such as a laptop, or some paperwork of a sensitive nature. Of course, we do this with the knowledge and consent of our customers and we keep that data safe. Most of the time, having achieved our objectives, we are able to leave the building without any concerns or alarms being raised.

Are organisations doing enough? Organisations certainly consider physical security, but in many cases, they underestimate the ease with which somebody who is motivated can gain access to their premises. Most people assume that they will be able to spot a liar, or a criminal, but this is not the case. Somebody who is friendly, personable, smart and polite is quite capable of talking their way into a number of situations.

User awareness is key for protection and any organisation that wants to defend against physical attacks needs to encourage robust processes for allowing access to offices and ensuring visitors are properly escorted. It is very difficult to defend against these attacks, as social norms tend to help attackers attempting this kind of social engineering. Employees need to be willing to challenge visitors if they are suspicious and have escalation routes they can use if they are concerned about any strangers in the office.

Monitoring internal networks as thoroughly as external networks for anomalies is also important, but this is often a big challenge for SMEs with limited resources within their IT teams to configure and review such monitoring.

Performing an employee awareness campaign and demonstrating first-hand the ease and danger of physical security breaches is a great way to engage an entire organisation. When we point out that the person in the corner at the computer is really one of our colleagues who has talked their way in – there is always a sea of stunned faces. It rarely occurs to the population of employees that the PAT tester dressed in a branded, embroidered fleece of a fictional company and carrying a full PAT testing kit, might have be anything other than legitimate, or that they may have come past the front desk without authorisation.

Managers and employees need to know that some cyber attacks walk in on two feet and doing this type of exercise helps make things memorable, so hopefully people will be more willing to challenge and report suspicious visitors.

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing