At Schneider Downs, we always strive to uphold our responsibility to serve as trusted cybersecurity advisors to our clients and to the community at large. A major component of that responsibility is to comprehensively understand and provide counsel when it comes to all the significant cybersecurity threat vectors that have the potential to present risk. For example, the recent controversy surrounding physical security testing within the scope of a penetration test has offered some form or another of the following questions:
“Do we really need to worry about someone trying to break into our datacenter?”
“Do cyber threat actors really use malicious USB drops to deploy ransomware?”
“How strictly should we design and enforce our physical security policies and procedures?
To help calm these important anxieties, I’ll use this article to pass along some of the wisdom I’ve gained from performing offensive physical security testing and incident response investigations. From those experiences, I can say unequivocally that physical security vulnerabilities are being exploited by real-world threat actors to achieve significant compromises, and that taking advantage of those physical vulnerabilities is often far easier than identifying and exploiting virtual security vulnerabilities.
As an example, I’ve personally broken into countless corporate buildings without being detected (with permission, of course) and have been able to leverage that physical access for virtual compromise. In general, people are trusting of anyone in appropriate clothing who acts like they belong (especially if that person is carrying a box of donuts and talking on the phone!). Unfortunately, thanks to human nature, it is far too easy to gain physical access to an organization’s computer systems. Threat actors have a tendency to utilize whatever are the easiest, most effective techniques, so just because physical security attacks haven’t been as commonly exploited in the past doesn’t mean they won’t be in the future. I strongly recommend that all organizations perform some form of annual assessment of their physical security controls to ensure an effective posture is maintained.
To best defend your organization from a physical security attack in the office, there are eight things to keep in mind:
Tailgating - Home Team Only
For most companies, the first line of defense includes the logical access controls between publicly accessible space and restricted space. It’s your responsibility to ensure you don’t allow any unauthorized individuals into restricted space. The failure to enforce this critical security control is so common that it has its own catchy name: “tailgating.” Don’t let anyone you don’t know pass through a door that was opened with your badge or passcode. Close the door behind you. If someone is supposed to be there, they can use proper channels. (Unless they have donuts, of course, in which case you should take them directly to your datacenter and eat donuts together in the refreshing AC.)
You’ve probably heard of a “Clean Desk Policy.” Your office probably has one. But it wouldn’t surprise me if it wasn’t very strongly enforced, and/or no one knew the content of the policy. This is fairly common for the average office, because it’s difficult to truly enforce a clean desk policy, and most people don’t understand the risk exposure that can result from physical document visibility. The truth is that data can – and is – being collected from sensitive materials on desks, from sources as diverse as rogue employees, wandering visitors, after-hours staff and drone window surveillance. Recommendation: try to take the policy seriously and clear off your desk when you can. And please don’t leave a sticky note somewhere with all your passwords.
Stop, Drop N’ Lock It
Also poorly enforced in most companies is something known as a “Locked Drawer Policy,” one of the most important office policies and one that should definitely be taken seriously. The general goal of the policy is to reinstate the physical security of an object after your session of authenticated access has terminated. This includes locking your laptop in a drawer overnight, locking your computer when you step away for lunch, or locking a restricted area on your way out. Failing to comply with this policy is known as “leaving the seat up,” and is punishable via changing the background of their unlocked device.
Burn After Reading
More commonly referred to as a “Physical Data Destruction Policy,” this precaution is generally considered the best defense against “Physical Information Byproduct Reconnaissance,” aka “Dumpster Diving.” I’ve personally harvested significant sensitive information by searching dumpsters for paper and digital documents; i’s unbelievable what people will just throw away. I’ve found unencrypted hard drives with thousands of Social Security numbers and other assorted PII. It is crucial to destroy before discarding. This includes all paper materials, thumb drives, hard drives, CDs … even printers (an iconic scene from the movie “Office Space” comes to mind).
There are so many well-known exploits to bypass native security on an unencrypted hard drive, it’s fairly impossible to protect data from physical access without some form of encryption. I’ve personally stolen laptops and hard drives from desktops while breaking into a company (with permission, of course). Worth noting is that many organizations encrypt their laptops, but not their desktops. Historically, desktops didn’t have the TPM chip required for encryption, but that’s no longer the case. Modern encryption is so much easier and faster than ever before. Any Windows user can easily encrypt their USB drive with a simple password using BitLocker, and alternatives exist for most other common operating systems. In my opinion, there’s simply no excuse for media devices to not be encrypted. Encryption is your friend.
Locks, Cameras and Doors, Oh My!
Hardware is an aspect of physical security that’s usually focused on too much … or not enough. Proper security hardware, without enforced policy, is exploitable. Of course, so are properly enforced policies, without effective security hardware. As with most things in life, the key is a healthy balance. For physical security devices, it’s important to invest in effective locks and door systems. If your locks and doors can be easily picked or shimmed, then it’ll be difficult to achieve a strong security posture. Similarly, ensure your camera systems are designed to include adequate coverage and quality. Saying enhance over and over will only get you so far. I recommend performing some form of routine assessment that includes hardware walkthroughs.
Being familiar with commonly utilized physical attack techniques is one of the best ways to defend against them. Some of the most effective pretexts include:
Go Nuts For Donuts – an appropriately dressed person with an armful of donuts and coffee
FedExploit – a simple uniform and an empty box
Ladder To Anywhere – two people carrying a ladder
Interviewer Discretion Advised – someone in the lobby pretending to have a meeting/interview; maybe they spill coffee on their resume and ask you to print another one from their “totally safe” USB drive
Free Hugs – any pretext to get close enough to your badge to clone it; wireless badge cloners exist but often have a short range; be aware of someone who wants to get near your badge
Calling Mom – someone standing near a doorway pretending to be on the phone, waiting to tailgate
If someone approaches you with a weird situation, be skeptical. Ask yourself what they might be trying to gain through this interaction. Pose specific questions: “What’s your name?” “Who do you work for?” “Can I see your ID?”
There are a wide variety of physical attack vectors and it can be difficult to maintain vigilance, not to mention compliance with the many policies that keep our offices generally safe. It’s important to be familiar with these policies, the incident response policies and the various legal regulations regarding physical security at your office. In the end, the most effective method of alerting or detecting physical security threats relies on users. It’s critical that you’re familiar with – and have hopefully practiced the process for – reporting security incidents. When in doubt, if you see something, say something.
How can Schneider Downs help?
The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. The team’s mix of skills and experiences in real-world cyberattack scenarios enables us to provide your organization with a comprehensive look at external vulnerabilities including the physical risks explored in this article, and others ranging from susceptibility to social engineering to critical weaknesses in external web applications. Learn more about our team and services at www.schneiderdowns.com/cybersecurity.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.