When you think about hacking you probably think about technology. Hackers digitally breaking into an organisation or government systems, stealing data or bringing down whole networks. But hackers don’t just use technology to breach a potential target, sometimes the old ways are the most effective and physically gaining access to a company's premises can provide threat actors with ultimate control of digital estates.
Every company needs to ensure their physical locations are secure, especially those that house key assets such as company servers, and a red team engagement can provide the opportunity to test physical security alongside your overall cybersecurity posture.
Red teaming is a goal based assessment of a company and hackers can use a variety of methods, within the set scope, to achieve their overall goal. This can include the physical security of a site.
But, what techniques can attackers use when trying to gain access to a physical location?
Many workplaces now utilise automated gates to gain access to the premises. However, just like at train stations, there is an opportunity to exploit these by closely following behind someone who has a legitimate pass.
Malicious threat actors can take advantage of this situation, especially when this is the only security feature employed at the entrance to a building.
Tailgating becomes a little bit harder when there is a manned reception, but you could always get around this by getting someone to ring reception to distract front of house whilst you attempt to gain access.
- Dumpster diving
Dumpster diving, in the traditional sense, is trying to find useful or sensitive information from the things that are physically thrown away by an individual or a company. Yes, this still takes place and attackers can find a treasure trove of information of data is not disposed of correctly.
But it’s not just paper-based information dumpster divers are looking for, it can include technology, and if attackers were to get their hands on discarded hardware they could potentially uncover a host of digital information that may not have been removed correctly.
- Targeting front of house
Front of house can be a key target for attackers and we’ve heard about a variety of methods where attackers have looked to exploit their usually helpful nature.
For example, imagine a coffee drenched visitor approaching the front desk saying they have an interview next door and their CV has been ruined. Luckily, they have a copy on a USB and if reception could print it off it would really help them out.
A helpful person may well oblige, looking to help the situation. The problem is the USB can be laden with malware and can provide the route into the company network.
- The fire alarm
Every company needs to have a Fire Emergency Evacuation Plan and it means that employees have to leave the building, making their way to a set meeting point. This meeting point is usually situated in a public space and therefore can be accessed by external individuals.
The opportunity for a malicious threat actor comes when staff re-enter the building, as normal security measures are removed in an effort to help people back into the premises as efficiently as possible.
If an attacker had knowledge of an upcoming test, they could mingle within the assembled crowd and then enter the building unchallenged when people return to work. A real malicious threat may even set off the alarm in order to breach the building.
- Third party suppliers
How many external people have access to your physical premises? You may be surprised and it can include everyone from couriers and cleaning staff, to building management and even the people who come to water the plants.
But how do you know these people are from the companies they say they are and aren’t, in fact, malicious threat actors attempting to gain access to your organisation?
One of the most effective ways to gain access to a location can be to masquerade as one of these external vendors, and if visitor/third party supplier security processes aren’t tight then you could be welcomed in no questions asked. All it takes is a high vis-vest!
- Target smokers at the side/back door
Smokers can provide a way in for attackers, especially if the smoking area has public access and is accessed via a side or back entrance.
These entrances are usually less secure then the main entrance and all an attacker has to do is build up a friendly relationship with a fellow smoker, pretending to have forgotten their pass to the building. Chances are your new acquaintance will more than gladly buzz you in through the first security door.
- The USB drop
Imagine finding a USB in the car park on the way into the office one morning. There’s no label on it to suggest what it has on it or to whom it may belong to. What do you do?
The temptation is to plug it into a computer and see what’s on it. But that’s exactly what the attackers want you to do.
USBs loaded with malicious malware such as key loggers or ransomware can be left in strategic locations around a company’s premises, hoping an unsuspecting employee finds it and is curious enough to plug it into their work computer. This can provide the way in and once inside the company network attackers can potentially escalate privileges until they have overall control.
It can be hard to keep track of who everyone is in a large company and attackers can use this fact to their advantage.
For example, attackers could phone front of house pretending to be an existing employee. On the phone, they can explain how they are running late and that the visitor they are expecting should be sent straight through to wait for them. The visitor will obviously be an attacker and once alone in the building they can try to gain access to restricted areas.
It’s easy to find out the identity of the people within your company and to uncover the structure of the organisation. LinkedIn and online searches can provide these identities and your company website may provide information on key individuals such as directors.
Protecting your business
Now you know some of the potential techniques used by threat actors you need to start putting in place the necessary steps to protect yourself.
- Improve your physical security measures
The more physical security measures you have in place throughout the premises the harder it will be for an attacker to breach. Even if they were to make it through the front door it will be hard to get much further without detection.
These measures could include added security on entrances to sensitive areas, a physical presence on reception to stop people tailgating or even a more visible CCTV presence.
- Educate your staff
Education is key when it comes to improving security and staff need to be aware of their responsibilities, as well as the potential consequences of getting security wrong.
The training you provide will depend on the nature of the job, as well as the dangers posed to your business, and some departments may require more extensive training due to the number, and variety, of threats they might face.
This training needs to be conducted on a regular basis to ensure staff remain up-to-date and running simulated attacks can ensure that the lessons are being followed.
- Codify security processes and procedures where possible
Security procedures need to be codified wherever possible and by having processes written down it means staff should know exactly how to deal with situations as they arise.
For example, you should always have set procedures on how front of house deal with visitors and what they can and cannot accept from unknown guests.
- Verify third-party suppliers
Having a third party supplier enter reception isn’t too concerning, but what if they have free access to other, more sensitive, areas of the business? When this is the case you need to put in place procedures to ensure these staff are who they say they are and have been verified by the supplier. If there are any doubts entry needs to be denied and identity needs to be checked directly with the supplier.
- Challenge unknown visitors
Existing staff can play a useful role when it comes to physical security, as staff who work there day in, day out are more likely to be able to spot someone they have never seen before, especially in sensitive areas of the business.
This needs to be coupled with a culture where unknown individuals can be challenged to present some form of ID whilst on the premises. If ID can’t be presented then these individuals need to be escorted back to reception where identity can be confirmed.