By Neil Gibb on February 17, 2020

What is physical Social Engineering and why is it important?

Cyber Security Testing

You’ve created a whitelist for software and hardware, you’ve set your firewall policies and you’ve reviewed all of your user permissions. But have you locked the front door?

Companies devote an incredible amount of resources to cyber security and rightfully so, as a single breach can have a devastating effect on the business from top to bottom. In that pursuit for perfect digital protection, it’s easy to forget that there’s a physical side to cyber security too.

Physical social engineering assessments are exercises that assess a company’s capability in defending against hackers that look to exploit their targets on their premises. When carried out by an experienced consultant, organisations gain a wealth of knowledge about just how secure they really are.

Often seen as the missing piece of the cyber security puzzle, physical social engineering assessments have become increasingly popular in the U.S. With only a handful of specialised consultants in the UK and Ireland, here’s a look at the upcoming trend and why so many businesses are seeing it as the next must-have service.

Integrity360 The Essential Guide to Penetration Testing eBook

What is a Physical Social Engineering assessment?

Physical social engineering is an assessment to determine whether an attacker can gain physical access to an organisation’s physical premises in an attempt to access sensitive information and internal systems. It then provides remediation advice on how best to secure against these types of attacks, often overlooked by organsations when creating a cyber security strategy.

Neil Gibb, Cyber Security Consultant with Integrity360 is one of just a handful of people in the UK and Ireland with experience in physical social engineering.

Gibb says, “As a physical social engineer, fundamentally, my job is simple – gain physical access to an organisation’s premises and complete a set of pre-determined tasks. These tasks can range from acquiring network access through to planting devices on a client’s corporate network in an attempt to gain remote access. Real time evidence of a general lack of security best practice is also collated, such as clear desk policies, workstations left logged on and unattended and confidential literature left out for anyone to read, etc.

The hard part of the engagement is convincing clients that a physical cyber security assessment is as critical as performing external and internal penetration tests. Over my time as a physical cyber security specialist, I have assessed some very mature organisations who have undertaken multiple network and application penetration tests over a number of years and are therefore very secure in these areas but had not taken physical cyber security into account for a number of reasons.

The main reason for this is a lack of skills in this field to perform such an assessment and therefore physical cyber security assessments are either being performed by consultants whose skill sets lie in the technical side of information security and, through no fault of their own, are not capable of performing such assessments comprehensively. More often than not, cyber security organisations are not offering these assessments and their clients are left feeling that what they are currently doing is enough to secure their cooperate network and confidential data.

However, when a company does undertake a physical cyber security assessment, there is, what I would describe as, a light bulb moment when I explain how I have gained access to what was thought to be a secure premises or how I planted a device on their corporate network and maintained remote access over a number of days, weeks or even months without the client’s knowledge that I had ever stepped foot into the building. Or when I provide images of sensitive documentation that has been discarded without a second thought. These organisations quickly realise the importance of physical cyber security and prioritise it on their cyber security agenda, with regular assessments and remedial projects.

In the current information security climate, physical cyber security really is the missing piece of the puzzle and without taking it seriously, organisations are literally leaving the front door open for  threat actors to walk straight in.

This has not escaped the criminal fraternity either, with a higher probability for success, criminal organisations are quickly adding this to their kit bag with physical attacks rapidly on the rise”.

Also Read : What is Physical Cyber Security? A Q&A with Integrity360’s Cyber Security Test Manager and Social

How is a Physical Social Engineering assessment different from a Red Team assessment?

Physical social engineering commonly takes two forms:

  1. Penetration testing – this approach focuses solely on the physical social engineering/individual element, i.e. can a hacker acquire undetected physical access to an organisation’s internal networks and secure areas
  2. Red teaming – This approach explores whether the physical attack vector offers a viable route to satisfying the engagement goals i.e. can a hacker acquire undetected physical access to an organisation’s internal networks to provide the red team with logical access to further the engagement.

Why is having a Physical Social Engineering assessment important?

Cyber criminals go for low hanging fruit and because of how network security has been prioritised over physical security in cyber security strategies, getting onsite and accessing an organisation’s data has become easier than hacking networks and applications online.

Of course, you wouldn’t know that physical cyber attacks are becoming increasingly common, Gibb points out, “Generally, most companies don’t publicise physical breaches. In 2013, Barclays were breached and that really opened up the banking and financial services sectors’ eyes to the potential of physical attacks.”

Cyber security is all about keeping one step ahead of potential threats; companies need to know where they are vulnerable and what threats could present a tangible risk to their assets and reputation, so they can either mitigate the risks or adjust their defences accordingly. With little attention being paid to just how potentially ineffective companies’ physical security can be, it continues to be a viable attack vector for cyber criminals.

Wondering how your business would stack up against a physical social engineering assessment? Find out by contacting Integrity360 and setting up an assessment today.

Contact Us

Sign up to receive the latest insights

Join our cyber security community to stay up to date with the latest news, insights, threat intel and more right in your inbox.  All you have to do is choose how often.