Over the last several years, I have spent a good part of my security consulting career focused on covert physical security and social engineering assessments. But what does this mean?
Myself and members of Threat Services will attempt to gain access to a building, data centers, executive suites, offices and so on – by either bypassing physical security controls or by pretending to be an employee, contractor, someone from corporate, vendors or whatever guise deemed suitable for the target facility.
This is often the subject of my presentations when speaking solo or together with my colleague Brent White at nationally and internationally recognized hacker and security conferences. Wrapping up InfoSec World in the US this week, Brent and I presented on, “Breaking Into Your Building: A Hacker’s Guide to Gaining Access”. We discussed traditional and non-traditional methods of bypassing physical access controls using anything from sophisticated technology to common office supplies or even things that you can find in the trash. Additionally, we covered how to reduce or remove this risk.
When it comes to protecting your data, physical security is often overlooked or placed at a lower priority. Once a building is built, controls are put in place, a security guard is hired or the maintenance team installs these controls. Most of the war stories of how we compromise a data center is either that someone has let us in because we social engineered them or physical security controls are poorly implemented or without compensating controls.
A good example of this, and one of the common ways to bypass two-factor authentication (including retinal scanner and badge, pin and badge etc), is by taking advantage of poorly placed Request-to-Exit sensors – by exploiting the motion and temperature variant triggers.
How is this done? There are a few different ways, but here is a simple one that we continue to have success with: When these sensors are in close proximity to the door, you can use something like canned air, turn it upside down, place the straw beneath the door and spray. How does this work? The density of the canned air and the temperature fluctuation will trigger the sensor and convince it that someone is exiting, thus disabling the locking mechanism and bypassing whatever fancy access control technology that you have on the other side.
Another common physical security control that we exploit is by picking locks on emergency exits. Lock cores are usually used for several years before companies even consider upgrading them or waiting to replace them until an employee who had a copy of a key is let go. These cores tend to be weak tumbler locks that can be picked in seconds and, if you do it during production hours, the alarm on the emergency exit doors are usually not activated.
I have even seen 4-pin tumbler locks on data center doors that have biometric access controls installed on them. Why spend all of that money on your electronic controls, when the lock or the latching mechanism is neglected?
These are just a couple examples of how a weak lock or a poorly placed sensor could allow a potential threat to gain access without having to “badge-in”. A breach like this often occurs because of the ole “multiple hats to cut costs” mentalities that companies have. Thus shifting the responsibilities of trained security professional to one of their maintenance workers, who have limited knowledge of best practices for implementing these technologies.
The same can be said for having the administrative assistant doing the job of a security guard. Are they trained in what to look for and consider? Are there capable workers who can handle responsibilities outside of their principle roles? Absolutely. Should they? Well, this is probably subjective, however, as someone who breaks into a lot of corporate and government buildings for a living…I would say, no. When you scrape the barrel to meet minimum requirements, do not be surprised if you sometimes – spring a leak – and enable a compromise to occur..
Perhaps you don’t have the budget to have the most robust physical security program. Not a problem. There are several training programmes, standards and talks that will not only cover best practices but also what to look for.
Spend the time reading up on the vulnerabilities associated with access controls that you currently have implemented or are looking into. Spend the time researching best practices and options before buying over-priced authentication technology that can end up being near useless (other than for show), because an astragal isn’t in place on the gaps of the door or the Request-to-Exit sensor is improperly positioned.
Spend the time instilling security awareness as a culture, how to detect social engineering and physical security attacks and not just requiring a generic annual security awareness training.
In the end, security is everyone’s responsibility. We all have eyes and ears. It is up to the decision makers to ensure that controls are being properly implemented by their teams and that their employees take security seriously. It is up to the role of the employees to ensure that they are just as invested in protecting not only the data, but themselves from physical and social threats to both information and safety.