You’ve created a whitelist for software and hardware, you’ve set your firewall policies and you’ve reviewed all of your user permissions. But have you locked the front door?
Companies devote an incredible amount of resources to cyber security and rightfully so, as a single breach can have a devastating effect on the business from top to bottom. In that pursuit for perfect digital protection, it’s easy to forget that there’s a physical side to cyber security too.
Physical social engineering assessments are exercises that assess a company’s capability in defending against hackers that look to exploit their targets on their premises. When carried out by an experienced consultant, organisations gain a wealth of knowledge about just how secure they really are.
Often seen as the missing piece of the cyber security puzzle, physical social engineering assessments have become increasingly popular in the U.S. With only a handful of specialised consultants in the UK and Ireland, here’s a look at the upcoming trend and why so many businesses are seeing it as the next must-have service.
What is a Physical Social Engineering assessment?
Physical social engineering is an assessment to determine whether an attacker can gain physical access to an organisation’s physical premises in an attempt to access sensitive information and internal systems. It then provides remediation advice on how best to secure against these types of attacks, often overlooked by organsations when creating a cyber security strategy.
Neil Gibb, Cyber Security Consultant with Integrity360 is one of just a handful of people in the UK and Ireland with experience in physical social engineering.
Gibb says, “As a physical social engineer, fundamentally, my job is simple – gain physical access to an organisation’s premises and complete a set of pre-determined tasks. These tasks can range from acquiring network access through to planting devices on a client’s corporate network in an attempt to gain remote access. Real time evidence of a general lack of security best practice is also collated, such as clear desk policies, workstations left logged on and unattended and confidential literature left out for anyone to read, etc.
The hard part of the engagement is convincing clients that a physical cyber security assessment is as critical as performing external and internal penetration tests. Over my time as a physical cyber security specialist, I have assessed some very mature organisations who have undertaken multiple network and application penetration tests over a number of years and are therefore very secure in these areas but had not taken physical cyber security into account for a number of reasons.
The main reason for this is a lack of skills in this field to perform such an assessment and therefore physical cyber security assessments are either being performed by consultants whose skill sets lie in the technical side of information security and, through no fault of their own, are not capable of performing such assessments comprehensively. More often than not, cyber security organisations are not offering these assessments and their clients are left feeling that what they are currently doing is enough to secure their cooperate network and confidential data.
However, when a company does undertake a physical cyber security assessment, there is, what I would describe as, a light bulb moment when I explain how I have gained access to what was thought to be a secure premises or how I planted a device on their corporate network and maintained remote access over a number of days, weeks or even months without the client’s knowledge that I had ever stepped foot into the building. Or when I provide images of sensitive documentation that has been discarded without a second thought. These organisations quickly realise the importance of physical cyber security and prioritise it on their cyber security agenda, with regular assessments and remedial projects.
In the current information security climate, physical cyber security really is the missing piece of the puzzle and without taking it seriously, organisations are literally leaving the front door open for threat actors to walk straight in.
This has not escaped the criminal fraternity either, with a higher probability for success, criminal organisations are quickly adding this to their kit bag with physical attacks rapidly on the rise”.
How is a Physical Social Engineering assessment different from a Red Team assessment?
Physical social engineering commonly takes two forms:
- Penetration testing – this approach focuses solely on the physical social engineering/individual element, i.e. can a hacker acquire undetected physical access to an organisation’s internal networks and secure areas
- Red teaming – This approach explores whether the physical attack vector offers a viable route to satisfying the engagement goals i.e. can a hacker acquire undetected physical access to an organisation’s internal networks to provide the red team with logical access to further the engagement.
Why is having a Physical Social Engineering assessment important?
Cyber criminals go for low hanging fruit and because of how network security has been prioritised over physical security in cyber security strategies, getting onsite and accessing an organisation’s data has become easier than hacking networks and applications online.
Of course, you wouldn’t know that physical cyber attacks are becoming increasingly common, Gibb points out, “Generally, most companies don’t publicise physical breaches. In 2013, Barclays were breached and that really opened up the banking and financial services sectors’ eyes to the potential of physical attacks.”
Cyber security is all about keeping one step ahead of potential threats; companies need to know where they are vulnerable and what threats could present a tangible risk to their assets and reputation, so they can either mitigate the risks or adjust their defences accordingly. With little attention being paid to just how potentially ineffective companies’ physical security can be, it continues to be a viable attack vector for cyber criminals.