Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Physical Security Assessments – A Pillar of Information Security
Often overlooked in a company’s implemented information security strategies are the threats posed by weaknesses in its physical security posture. Countless companies fail to bridge cyber and physical threats, and well-versed attackers can leverage this gap to gain unauthorized access to facilities, taking control of systems and data that may have otherwise been protected in the cyber realm.
To stay one step ahead, it’s important to get inside the mind of a would-be attacker to identify exploitable, and in some cases, devastating holes in an organization’s physical security.
One of the most important steps in the initial phases of a physical penetration test is gathering as much open source intelligence as possible on the target company. This critically includes gathering pictures and aerial imagery, available from sites like Google Maps and Bing. This can provide insight into ingress/egress points, security camera placement and even more detailed information, such as potential badging system technology (which we will cover in depth below).
Additionally, in real world scenarios, sites like Facebook, Instagram and Linkedin provide information like high-quality employee badge photos, which can be useful for replication and assimilating within the environment during subsequent phases of testing.
Passive reconnaissance phase lays the groundwork and helps develops avenues of approach for entry into the target building.
Figure 1: Employee Badges on Social Media
Next, it’s imperative to conduct on-site reconnaissance to confirm findings from the passive research phase and develop new strategies for potential access. These include identifying locking mechanisms on doors and observing the site’s security controls, which may include roving security patrols, cameras not identified during passive reconnaissance, and man-trap or anti-tailgating mechanisms.
Figure 2: Commonly Employed Anti-Tailgating Mechanism
During this phase of active reconnaissance, it’s important not to draw suspicion, so avoid lingering on premises and taking pictures via a vehicle when possible. Inspecting locking mechanisms and badging technology by foot should be conducted outside of normal company operating hours and only after a pattern of life on potential security personnel has been established.
Assessing all doors and locking mechanisms during reconnaissance helps tailor the attack to the specific circumstances.
Badging technology readers and cards can leverage low (125 kHz) or high (13.56 MHz) frequencies. Legacy low-frequency technology is susceptible to badge cloning due to lack of encryption and authentication of badge data. Publicly available cloning tools such as the proxmark3 and long range readers provide easy access for attackers to take advantage of this dated technology.
Figure 3: Proxmark3 RFID Card Reader
With a long-range reader, a potential intruder need be within just 12-18 inches to surreptitiously read the unencrypted data unique to an individual card. The proxmark3 can then fully replicate this data onto a new card, giving an attacker unauthorized access to company facilities. This scenario plays out time and time again as employees frequently carry badges around lanyards and expose them outside secured areas.
Attackers can also bypass locking mechanisms and enter a building through forced entry. Although this sort of entry presents greater risk to the intruder, it typically requires no interaction with employees, and outside normal operating hours the attacker can use door bypass tools such as a sparrow mini jim or an under the door tool (UDT).
Figure 4: Under the Door Tool (UDT)
Other options include canned air, which, if sprayed at a Request to Exit (REX) sensor (typically found on the interior ceiling of sliding glass doors) can simulate an employee exiting, triggering the sensor and opening the doors.
If surreptitious entry and badge cloning aren’t feasible, another effective tactics involves targeting employees and tailgating them into ingress/egress points devoid of mantraps.
Figure 5: Tailgating an Employee’s Valid Access Badge
Early morning, lunch and end of day are typically great opportunities to tailgate, as employees are often in a rush and not as likely to question someone using their access to the enter a building. Again, it’s important to identify badge layout during initial recon; this helps the intruder assimilate with the environment by creating a badge that, although it may not contain valid data, will still deflect suspicion while on premises.
Lastly, the commonly used pretexting technique involves direct interaction with employees of a target company to gain unauthorized access. Pretexting leverages information gained during reconnaissance to either pose as a known contractor (such as an ISP), a utility worker or some other known affiliated third party. Coupled with strategic knowledge of the target facility, duping a front-desk employee to gain unauthorized (and sometimes unrestricted) access to a building under the pretext of a work order can have grave consequences, as we’ve seen in many real-world attacks. Since pretexting requires face-to-face social engineering in order to trick an employee into granting access, an unsuccessful attempt can raise suspicion. It’s therefore regarded as a tertiary means of entry; still, it’s a necessary element of the physical pen test because employees remain the most glaring weakness in many organizations’ security posture.
The next phase of a physical penetration test is arguably the most important.
If access is gained after hours, simply searching employee desks (unless the organization has a closely followed clean-desk policy) will often yield personally identifiable information (PII) at the least, and in some cases bank account information or customer data. Weak or absent shred policies are also a gold mine for intruders. Facilities typically should have secured containers for shred bags and loose paper but often these are left desk-side, allowing for triage of potentially sensitive data. Finally, it isn’t uncommon for employees to store paper with logon credentials around their desk, allowing attackers access to the internal network and resources.
Figure 6: Unattended Desk - Sensitive Information
The risk of an attacker accessing internal network resources is one of the primary reasons physical security should be a core component of a company’s information security strategy. If, by means of the tactics described above, an intruder now can gain internal access to the network the organization’s crown jewels are threatened. If a company doesn’t have properly implemented network access control (NAC), an unknown device can be assigned an IP address on the internal network, where it will be free to sniff traffic and move laterally in search of useful information.
Figure 7: Internal Network - Ethernet Access
Or worse – the attacker may now have the ability to essentially cripple a company’s infrastructure. Additionally, setting up external command and control (C2) in the form of a drop device or payload lets an intruder maintain a presence on the network after exiting a facility. Successfully establishing C2 can leave a company in a breached state for weeks or even months after an initial physical compromise.
Many of the techniques described here are deployed in real world scenarios every day. Information security is no longer a uniquely cyber concern; physical threats can lead to a crippling breach of organizational information and resources. It’s imperative physical security shortfalls be at the forefront of a company’s implemented strategies to strengthen their security posture.
Copyright © 2022 Optiv Security Inc. All rights reserved.
No license, express or implied, to any intellectual property or other content is granted or intended hereby.
This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.
Complaints / questions should be directed to Legal@optiv.com
September 10, 2019
In this post, we will address some of the MITRE ATT&CK’s Collection techniques and tactics, from an attacker’s point of view to harvest organizational....
September 02, 2020
Two experienced red teamers describe successful engagements and how to counter attack chains.
February 26, 2019
Make offensive security games, and regular penetration testing part of your ongoing threat management program and your team will gain knowledge to be....
Let us know what you need, and we will have an Optiv professional contact you shortly.