While many companies are doing more to prevent cyber-attacks compromising their businesses online, they often forget or take less attention to the risk of cyber-criminals by-passing network perimeter security and walking in through the front door.
Even for organisations with reasonable levels of security maturity, including companies which are ISO 27001 certified, it is apparent that the popular adoption of “cyber-security” as a new label for “information security” has pushed the risks and controls of physical security to one side. This is not helped by media headlines that focus attention on large-scale cyber-security incidents that impact consumers, when many organisations face an entirely different set of security threats, threat adversaries and risks. The conjunctive risk management of physical security and information security is not a new problem, but is one that is perhaps increasingly overlooked in a cyber-focussed industry.
This focus on the virtual is reflected in the growth in penetration testing services to stress test cyber-defences. But we are starting to see a rise in assessments of physical security controls and social engineering exercises, both conducted as independent assurance exercises and as often as part of red-team engagements – the more realistic approach to penetration testing. For many organisations where the people, process and technology controls are not robust and harmonised, it is all too easy to compromise IT systems and data assets.
How easy is it?
When we set about planning a physical security and social engineering exercise we employ many common Tactics, Techniques and Procedures (TTPs). We will often simply masquerade as an external individual in a position of trust or authority. This is very difficult to guard against unless staff awareness training is robust. Human nature, in most cases, dictates that we will be helpful to individuals that require our assistance. To gain unauthorised physical access into premises, we will leverage these attitudes and will commonly adopt the role of a fire extinguisher or PAT (Portable Appliance Testing) engineer for example, or maybe an individual in a health and safety position. We will often state that we have an urgent or safety critical requirement to address. When using these tactics against the people we interact with, no-one wants to be “that person” who disrupted an important activity which endangered the lives of colleagues, or resulted in a failed audit.
Even when such pretexting fails at the first attempt, there are many means of escalating our persistence in these roles to manipulate people into performing irregular or inappropriate actions. For example, simply exerting pressure by explaining to the “victim” that there will be a personal negative consequence if an activity is not fulfilled is often sufficient. This might be an invented scenario about having to travel back the following day or disruption to their schedule, which would get them into trouble with their employer.
You are probably thinking that this would never happen in your organisation – but how confident are you that all your colleagues could manage such situations?
Implanting devices within the IT infrastructure usually takes a matter of seconds once through the door. We have several physical implants at our disposal, which are designed to quickly facilitate unauthorised access to systems. We have also designed and custom-built implants for specific scenarios, but there are many low-cost devices available for sale on the internet. These devices can be attached directly to networks or workstations and allow us to bypass common security controls to facilitate remote unauthorised access.
At this point it's largely game over. Further penetration testing and compromise of systems and assets from the physical premises is seldom necessary at this point as the implants allow us to gain access to networks from outside the physical perimeter. They are designed to defeat or circumvent many common security controls, including Network Access Control (NAC) solutions, which often claim to prevent unauthorised devices from admission to the network.
In organisations with basic technical controls, we will simply attach a small-form wireless access point to re-establish access, often from the car park, as a proof-of-concept. Other devices are more complex in their automatic abilities to establish covert egress channels via Internet connections. For longer term engagements, we can use implants embedded in common objects such as power supplies so that they are less conspicuous.
For most UK organisations, managing cyber-security risks are the priority and rightly so. Recent attacks on a global scale show the risks posed from continually evolving threats. But while the technical side of security is pursued, these physical risks continue to be overlooked and could result in a serious breach walking through your front door.
Understanding physical threats is essential for every business, even if the actual risk for most is likely to be low. For some companies, particularly those with a high-street presence or those that possess high-value assets, the threat-level may be a lot higher. When companies adopt a more holistic approach to cyber-security and ensure all staff are trained and informed, they can help reduce the risk.
Contributed by Nathan King, director, Cyberis
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.