Is your organization getting physical security right?
For most organizations (and especially for tech companies), the physical security of data centers and headquarters is of the utmost importance.
As Tim Roberts, a senior security consultant with NTT Security’s Threat Services group, duly points out, “it won’t matter if your data is encrypted or how secure your virtual network is if an attacker just walks in the door and gains access physically.”
The most common physical security breach tools and tactics
Roberts and his colleague Brent White are using a wide assortment of tricks to gain access to customers’ sites: they’re tailgating, installing rogue access points, staying in nearby hotel rooms and using high gain DBI antennas to change network configurations, impersonating employees and contractors, and more.
The human behavior element is usually over looked when it comes to tightening physical security, Roberts told Help Net Security. For example, employees often hold the door open when someone is about to “badge in” behind them.
“You just have to look like you work there and have something around your neck or at your hip. Employees rarely pay attention to the badge reader – they just look for the motion of the employee behind them holding their badge up to the reader,” he shared.
“In our experience running penetration tests for our clients, we’ve been able to bypass retinal scanners just because we were piggybacking with a blank HID badge and pretended to scan our eyes.”
White added that failing to achieve physical security can be as simple as not having a door configured correctly.
Sometimes even a canned air canister will do the trick, as request-to-exit sensors are usually placed way too close to doors. By blowing canned air underneath an access restricted door, the temperature fluctuation will allow them to trip the door from the inside and open it from the outside.
“More sophisticated attacks can include cloning low frequency and high frequency HID badges. Cloning tools make these badges pretty easy to enumerate, clone and replicate if you get close enough to someone,” Roberts added.
Pretending to be an employee or an auditor is usually a good way to gain access to restricted areas, whether they are offices or data centers. The pretext of installing network upgrades works well for creating a sense of urgency and making employees and even executives let them in. The resulting direct access to computers and workstations means that installing keyloggers can be done in a flash.
Advice for defenders
There are standardized physical access control frameworks organizations can follow to make sure they get that aspect of security right. NIST’s is a good example, but there are others as well.
Standardized physical security controls include access controls, monitoring, perimeter security, badges, motion detectors, and so on, but defenders should also consider implementing compensating controls (e.g., intrusion detection systems that alert on motion, if someone attempts to enter over or under walls).
“There are high-security access solutions, such as Boon Edam, which can help mitigate piggybacking and tailgating. Some of these types of security controls also have radio technology built in, which can detect weapons and even do physical recognition – identifying whether the badge ID matches the height of the individual trying to enter through the door, or if there is more than one person trying to enter at the same time,” White noted.
It’s important to ensure that badge readers are MFA-enabled. Biometrics (thumbprint, iris scan) as the second authentication factor is preferred, but even using a PIN code makes it more difficult for an attacker to mount a successful attack.
Making sure that the doors and access controls are installed and configured correctly and according to manufacturer specifications is also a must, and having trained security officers patrolling the campus bolsters the intrusion detection system and monitors with a physical presence.
“Cameras might not stop someone from breaching a security zone if they’re determined,” White noted. “Also, make sure your guards are monitoring the cameras and there are stringent log management protocols in place.”
Both Roberts and White advised defenders to try to think like an attacker when looking to improve their organization’s physical security.
But the human element is the most important, they noted, and ensuring the staff has a high level of security awareness is the number one best practice – even more important than physical controls.
“It’s critical that you train your employees to intercept and ask questions to people that look out of place and know the proper escalation procedures to follow,” White added.
Roberts pointed out the need for physical security to be a proactive, company-wide and ongoing effort that begins with training.
“Employees need to be trained in both best cyber and physical security threats to know what to look for, but make sure it’s [part of creating] a culture of security, not a just a one-time or annual training requirement within your organization,” he added.
“Your employees need to be actively looking for things that seem out of place, not just going through their day-to-day routine.”