Hard Candy Shell, Soft on the Inside
I recently had the pleasure of performing a combined Social Engineering and Physical Security Assessment over the course of a national holiday. This assessment certainly opens one’s eyes to the challenges that an organization, similar in size to the assessed business, faces when growing rapidly and trying to fit in an Information Security program.
While there are many lessons learned, two top takeaways stand out:
- Having the proper corporate structure is one of the most important components in standing up a successful information security program.
- Perceived security is just that – perceived. As my co-worker Andrew Weed put it: “This is like an M&M – a hard candy shell, soft on the inside.” To some extent he is correct. The amount of security controls on the outside of the facility, at least from a distance, appeared to be quite intimidating. Upon closer examination, however, this was not the case.
Before I continue, this assessment reinforces the points made in one of my previous blogs: Successful Security Programs: Security vs. Risk Management vs. Compliance.
Physical Security Assessment
So, let’s walk through the Physical Security Assessment.
The facility had an exterior perimeter fence with barbed wire at the top. Two gates were present. One, used for deliveries and such, contained a guard shack. The other was a badge-only entrance for employees. We noticed that when an employee badged into the employee gate, it stayed open long enough for at least another car – perhaps even two – to drive through before it began to close. Tailgating was a known problem according to the one security guard watching over this facility.
Several of the exterior doors required a valid badge to open. A good beginning, but what we found is that most of these doors had a motion detector on the interior side that, when triggered, disengaged the electronic lock that allowed for an easy exit from the building. We were able to bypass the door’s locking mechanism by exploiting the physical gap between the door and doorframe. We sprayed a compressed air can upside down, thus creating a cloud and triggering the motion detector. The lock disengaged and allowed us to open the doors from the outside without a valid badge.
Being able to demonstrate this showed how a motivated adversary could bypass two layers of security (perimeter fence and exterior doors) and gain access to the interior of the building with minimal effort and resources. Hopefully so far, we are seeing why defense-in-depth, including physical security, is an important part of information security. So, what would we find once inside the facility? It was exactly what we suspected, a soft interior with little in the way of physical security controls. This wasn’t news to our point of contact either.
Human Security Assessment
Once inside the facility, it didn’t take long to discover that the ‘clean desk policy’ wasn’t being enforced. In two separate areas, hundreds of documents marked “Confidential” were lying on top of unoccupied desks. Desk cabinets and file drawers were left unlocked – and at one desk, we found a password to a database inside of a notebook. File cabinets located in areas requiring badge access were unlocked. One such file cabinet contained all of the proprietary information on products the company has manufactured since its conception. All were marked “Confidential.” Further inside the facility, we discovered many areas where doors were left unlocked and/or propped open.
The conclusion was clear. Essentially, there were really only two layers of physical security for the majority of the building: the perimeter fence and the exterior doors. Once inside, a motivated adversary would have little trouble retrieving information that could both damage the company’s reputation and provide competitors with valuable proprietary information. It’s clear to see how much risk is present with only two layers of physical security attempting to stop someone from breaching the facility.
Corporate Structure Assessment
As we finished the assessment, we discovered important details about the corporate structure behind their information security program:
- Information Security and IT are under the same umbrella.
- Information Security consists of one individual for thousands of employees.
- The middle manager and a director report to the CFO.
- One security guard is responsible for the entire facility and for watching all of the security cameras, of which there are almost fifty.
Given the size of the company, it appears the corporate structure for Information Security and IT didn’t scale as the company grew in size. On top of that, executive decisions are coming from the CFO, which may mean decisions are financially based instead of risk-based. Lastly, IT and Information Security are one group, meaning there may be a considerable amount of conflict of interest when trying to push through security initiatives.
Good-bye M&Ms, Hello Jawbreakers
So, what can be done to reduce the risk in this situation? Here are some tips from an “offensive” point of view:
- Separate IT and Information Security. In this case it means restructuring portions of the organization and hiring additional executive leadership, a middle manager, and additional Information Security staff. This also means hiring additional security guards so that one person’s extreme workload doesn’t create additional risk.
- Defense-in-Depth. Don’t count on perimeter security or exterior security controls to prevent a physical breach.
- Develop physical trust zones inside the building. Consider hallways to be “untrusted zones,” especially when connected to an exterior door or publicly accessible locations such as a front lobby. Lock doors between trusted and untrusted zones.
- Utilize the principal of least privilege. Lock all file cabinets at all times and provide limited access.
- Enforce a clean desk policy. Enforce and communicate the results of a random, weekly audit and provide feedback/consequences based on the number of failed audits where an employee’s work area is found to be out of compliance.
- Maintain perimeter security controls regularly to prevent damage from the environment.
- Remove motion sensors from exterior doors and ensure each door has a panic bar on its interior (not a push bar which can be bypassed with commonly available tools).
Finally, one of the best defenses against a physical breach is the human element. Effective security awareness training should be a part of every organization’s culture. An effective program should teach:
- Polite ways to challenge unrecognized individuals
- How to appropriately deal with pushback from an individual being challenged
- Appropriate incident response processes when an unauthorized person is discovered in the building.