Having the most advanced, artificially intelligent-featured security software certainly makes a company “sound” secure, and in fact, those defenses do help stop most advanced attacks.
But not all attacks involve complicated ransomware, spearfishing, or DDoS attacks.
What organizations have to remember is their computer network is only one threat vector they have to worry about. And it’s not even the most obvious.
Attackers are constantly looking for the simplest form of invasion and even the most proficient hacker is not above opening an unlocked door if he or she believes it will lead to the information they want.
This is why a building’s physical security policies must not only be in place but strong enough to withstand a persistent attacker.
While most attacks do occur over the Internet, whether it is a misconfigured system that’s publicly accessible, or a phishing email sent with a complex payload to be downloaded and executed; physical security is also an important aspect considered in the cybersecurity arena. A lack of physical security can lead to something as simple as an attacker walking off the street into a building and plugging an unrecognised device into the network or removing sensitive materials.
This could include taking an internal phone listing off a receptionist’s desk, which would give a hacker enough information to develop a social engineering scheme that can lead to a major breach.
The good news is Trustwave SpiderLabs consultants over the years have conducted hundreds of physical security assessments so we can glean some great information and perhaps some helpful recommendations from these efforts.
The following are examples SpiderLabs social engineers have faced during their engagements.
Office parking lots tend to be the prime target to gain access into a building. Depending on the barrier used, timing the entry into the building can be quite easy as barriers close slowly. Once the first layer of security is breached, a tailgating attempt is made to access the parking lot elevators which are often access controlled. In this scenario, the social engineer would either pretend to be an employee of the organization and follow the legitimate employee in, or due to inadequate security awareness, follow a legitimate employee inside. Once completed, this leads to the second layer of security being circumvented. The third layer could either be access controlled in the internal elevators where employees use their access card or an access-controlled door on the office floor which could both be circumvented by tailgating.
Emergency exits are another prime target an attacker can use to gain access into a building. While generally these exits should not be used by employees, several assessments our teams have carried out found that emergency exits are often used by employees for smoke breaks and to leave the building during normal hours as it can sometimes be more convenient to access shops or car park areas. Social engineers can loiter around emergency exits and wait for an employee to leave and due to inadequate security awareness, employees most often do not wait for the door to close to stop any tailgating attempts.
Reception can sometimes be abused into thinking a person belongs in the building once access is gained. Some barriers have flaws allowing two or more people to walk past together if the sensors are blocked, leaving the barriers to be open for some time. There are also instances where barriers tend to be open for a longer period than usual and this has allows a pentester to time their attack and make their way into the building, by utilising the barrier’s flaws and moving past the reception area and security guards
Obviously, in the prior case study, the pentester had to deal with on- security. This means security guards and receptionists are also targeted during these assessments.
We often test their security awareness to check if they are adhering to the security policies, or to find out if in fact any are in place.
Social engineers do have several tricks up their sleeve when dealing with the human element of this test. For example, a social engineer would show up at a building with an access card that looks exactly like those held by other employees in the building. Except that it wouldn’t be registered or working on the RFID scanners.
In this scenario, this card was created during the Open-Source Information (OSINT) gathering phase when the social engineer found an employee access card on social media enabling it to be duplicated.
Social engineers can then dupe the receptionist into thinking that they are an employee with a broken access card. If no proper policy or process is in place, then it is likely the guard will not check the social engineer’s actual status and the access card will be registered, or the person given a temporary pass, allowing them into the building with a valid access card.
Physical security assessments are normally broken down into 3 phases. Phase 1 is where the client and Trustwave SpiderLabs decide on the scope of work and objectives to be carried out during the assessment. The objectives can play a role in the number of phases needed during an assessment. For example, a more complex objective will require more complex reconnaissance, sophisticated planning, and careful execution. Once the scope of work and objectives have been agreed to, the engagement moves into phase 2, known as the delivery phase.
The delivery phase will be broken into two parts which is planning and execution. The planning phase consists of performing reconnaissance offsite and onsite. The offsite reconnaissance utilises open-source information (OSINT) gathering to capture information about the organisation and employees. The information captured can range from building plans/layouts, street view pictures, company events pictures, workplace video interviews, to employee’s social media where they potentially upload building/site-related information. This information is then analysed, and scenarios are planned out. Once the different scenarios are prepped, the information is provided back to the client for approval before the green light is given to perform the tasks.
The execution phase consists of reviewing the security awareness of the staff, where the social engineer with attempt to tailgate into the building, loiter around secure areas, access meeting rooms, observe employee’s desk policy, secure usage etiquettes etc., and based on the objectives, remove sensitive materials and devices from the building. Secure areas are accessed through tailgating techniques, lock picking, or access door bypass.
Additionally, Trustwave SpiderLabs will also attempt to connect unregistered devices on the network in an attempt to find issues such as authentication bypass, Man-in-the-Middle attacks, attacks against Windows Domain-joined systems, or other attack vectors in which one could gain unauthorized access to these physical security control systems.
Trustwave's elite security team, SpiderLabs, can scope and execute thorough testing of the environment with their deep, specialized knowledge and provide recommendation to strengthen the security posture.
For more information on Trustwave SpiderLabs Physical Security Assessment and Penetration Testing in general, please click the image below.