When security gets physical

Neil Gibb walks us through a typical day undercover as a physical cyber security specialist and shares Valuable advice for defending against physical threat actors.

Breaking the Bank

Over recent years, I’ve witnessed a shift in cyber-attack techniques from technical, online-based attacks to targeting an organisation’s physical premises, thus bypassing the defences configured to protect against a typical cyber-attack.

A physical assessment is related to penetration testing and often plays a role in red teaming assessments, testing how your organisation would cope if targeted by a highly skilled physical threat actor. In our blog –

What is Physical Cyber Security? A Q&A with Integrity360’s Cyber Security Test Manager and Social Engineering Specialist Neil Gibb

Neil explained some of the common tactics a skilled threat actor may use to gain access to your organisation's physical premises. For example:

• Impersonating someone with a legitimate purpose to be on premise
• Cloning an access card
• tailgating – seeking entry to a restricted area, where access is unattended or controlled by electronic access control, by can simply walking behind a person who has legitimate access

This service is in high demand by financial organisations, however with other sectors slowly catching on to its worth. While the lessons learned can be hard to swallow, reading a list of security issues listed in a report doesn't come close to the pain of a real-world breach.   

The Assessment

Pre COVID a finance organisation commissioned Integrity360 to conduct a physical cyber security assessment. The organisation was very mature in its cyber security journey and wanted to test how they would stand up against a physical cyber security assessment. For obvious reasons, I must maintain our client’s confidentially, but they’re a high-street name. The stages of the exercise were:

1. Build picture of the target organisation using Open Source Intelligence (OSINT), is the enumeration of information, both organisational and personal, available freely on the Internet. Being open and widely available, if the data is used intelligently, sensitive information hiding in plain site can be used for nefarious purposes.
2. Active reconnaissance - a term borrowed from the military. It’s a way of testing an organisation’s defences before going in for the kill.  In the context of physical security, this is observing an organisation over a period of time to learn the movements and habits of employees, potential access points etc.
3. Develop attack scenario based on information gathered during the reconnaissance phase. In this case, an event hosted by the company presented the perfect opportunity.
4. Deploy the attack scenario to gain entry to the target organisation.
5. Following a successful breach of the premises, identify other opportunities to compromise the target’s security For example:
   
   
   • Unlocked offices, server rooms and filing cabinets
   • Gather information left on desks – files and passwords on post-it notes
   • Leaving a backdoor; provide permanent remote access to the target’s internal network by means of planting multiple rogue devices.

Time to Breach….

The company was hosting an event for potential clients at their HQ. By means of a false email address, LinkedIn account and company, I was able to secure an invitation.

Dressed to impress, (I left the hoody at home for this phase of the assessment) I attended the event, held in a restricted area of the building sectioned off from sensitive business areas. Security guards were posted at every entry point, checking employee’s identification, guarding against unauthorised access.

Targeting one security guard in particular, I waited and watched and as suspected he became distracted with another matter. Taking this opportunity I removed my jacket and switched my visitor’s lanyard for a fake staff ID pass, copied from pictures taken during the reconnaissance phase of the assessment. I proceeded to tailgate my way through controlled entrances. Someone even politely held a door open for me.

During the course of the exercise I was able to make my way throughout the entirety of the building, planting rogue devices to the network, gathering evidence of documentation lying on unattended desks, some of which was of the highest sensitivity.

Had I been a bad guy, I would have enjoyed rich pickings. Confidential information was lying on unattended desks. Workstations were left logged on as people fetched coffee. Using a USB stick, I was able to copy details and download files in seconds. I kept my mobile phone to my ear the entire time, having now assumed the persona of a member of IT busy sorting out a problem with a colleague.   

At no point did anyone challenge me. Mission accomplished with a lengthy report for the client to consider.

I want to be clear the point of these assessments is not to catch anyone out. Had I been caught by security or questioned by an employee, the objectives of the exercise would have been achieved: namely, I would be able to tell the organisation about the effectiveness of their security.

Conclusion

Like many financial institutions, considerable effort and expense had gone into the security of the client’s building. In this case, RFID controlled barriers at all entrances, security guards and CCTV. Most of their internal doors lock automatically on closing and open with ID cards.

In common with most organisations, the flaw in the target’s defences wasn’t because of failings in their physical security architecture or technical controls. Instead, it came down to employees who are untrained, complacent or don’t care.   

Human vulnerability is a significant problem across all industries. It requires a continuous approach and regular remediation to stay ahead of criminals, who are only too ready to profit from the smallest gaps in your security posture.

The hard truth is that this scenario, had it been a real-world attack, could have been catastrophic for the company. The potential losses: reputational, financial (through theft or fines by the regulator), operational downtime, breach of customer trust. It’s also easily avoided, which is why I’d like to wrap up on a positive note.

Companies are typically caught out by basic things. A robust staff training programme will eliminate many of your risks. Regular physical cyber security assessments will help you to measure your progress and ensure you stay on track.