Physical Security Assessments – A Pillar of Information Security Home Insights Blog Physical Security Assessments – A Pillar of Information Security September 17, 2020 Physical Security Assessments – A Pillar of Information Security Often overlooked in a company’s implemented information security strategies are the threats posed by weaknesses in its physical security posture. Countless companies fail to bridge cyber and physical threats, and well-versed attackers can leverage this gap to gain unauthorized access to facilities, taking control of systems and data that may have otherwise been protected in the cyber realm. To stay one step ahead, it’s important to get inside the mind of a would-be attacker to identify exploitable, and in some cases, devastating holes in an organization’s physical security. Reconaissance One of the most important steps in the initial phases of a physical penetration test is gathering as much open source intelligence as possible on the target company. This critically includes gathering pictures and aerial imagery, available from sites like Google Maps and Bing. This can provide insight into ingress/egress points, security camera placement and even more detailed information, such as potential badging system technology (which we will cover in depth below). Additionally, in real world scenarios, sites like Facebook, Instagram and Linkedin provide information like high-quality employee badge photos, which can be useful for replication and assimilating within the environment during subsequent phases of testing. Passive reconnaissance phase lays the groundwork and helps develops avenues of approach for entry into the target building. Figure 1: Employee Badges on Social Media Next, it’s imperative to conduct on-site reconnaissance to confirm findings from the passive research phase and develop new strategies for potential access. These include identifying locking mechanisms on doors and observing the site’s security controls, which may include roving security patrols, cameras not identified during passive reconnaissance, and man-trap or anti-tailgating mechanisms. Figure 2: Commonly Employed Anti-Tailgating Mechanism During this phase of active reconnaissance, it’s important not to draw suspicion, so avoid lingering on premises and taking pictures via a vehicle when possible. Inspecting locking mechanisms and badging technology by foot should be conducted outside of normal company operating hours and only after a pattern of life on potential security personnel has been established. Methods of Entry Assessing all doors and locking mechanisms during reconnaissance helps tailor the attack to the specific circumstances. Badging technology readers and cards can leverage low (125 kHz) or high (13.56 MHz) frequencies. Legacy low-frequency technology is susceptible to badge cloning due to lack of encryption and authentication of badge data. Publicly available cloning tools such as the proxmark3 and long range readers provide easy access for attackers to take advantage of this dated technology. Figure 3: Proxmark3 RFID Card Reader With a long-range reader, a potential intruder need be within just 12-18 inches to surreptitiously read the unencrypted data unique to an individual card. The proxmark3 can then fully replicate this data onto a new card, giving an attacker unauthorized access to company facilities. This scenario plays out time and time again as employees frequently carry badges around lanyards and expose them outside secured areas. Attackers can also bypass locking mechanisms and enter a building through forced entry. Although this sort of entry presents greater risk to the intruder, it typically requires no interaction with employees, and outside normal operating hours the attacker can use door bypass tools such as a sparrow mini jim or an under the door tool (UDT). Figure 4: Under the Door Tool (UDT) Other options include canned air, which, if sprayed at a Request to Exit (REX) sensor (typically found on the interior ceiling of sliding glass doors) can simulate an employee exiting, triggering the sensor and opening the doors. If surreptitious entry and badge cloning aren’t feasible, another effective tactics involves targeting employees and tailgating them into ingress/egress points devoid of mantraps. Figure 5: Tailgating an Employee’s Valid Access Badge Early morning, lunch and end of day are typically great opportunities to tailgate, as employees are often in a rush and not as likely to question someone using their access to the enter a building. Again, it’s important to identify badge layout during initial recon; this helps the intruder assimilate with the environment by creating a badge that, although it may not contain valid data, will still deflect suspicion while on premises. Lastly, the commonly used pretexting technique involves direct interaction with employees of a target company to gain unauthorized access. Pretexting leverages information gained during reconnaissance to either pose as a known contractor (such as an ISP), a utility worker or some other known affiliated third party. Coupled with strategic knowledge of the target facility, duping a front-desk employee to gain unauthorized (and sometimes unrestricted) access to a building under the pretext of a work order can have grave consequences, as we’ve seen in many real-world attacks. Since pretexting requires face-to-face social engineering in order to trick an employee into granting access, an unsuccessful attempt can raise suspicion. It’s therefore regarded as a tertiary means of entry; still, it’s a necessary element of the physical pen test because employees remain the most glaring weakness in many organizations’ security posture. Post-Exploitation The next phase of a physical penetration test is arguably the most important. If access is gained after hours, simply searching employee desks (unless the organization has a closely followed clean-desk policy) will often yield personally identifiable information (PII) at the least, and in some cases bank account information or customer data. Weak or absent shred policies are also a gold mine for intruders. Facilities typically should have secured containers for shred bags and loose paper but often these are left desk-side, allowing for triage of potentially sensitive data. Finally, it isn’t uncommon for employees to store paper with logon credentials around their desk, allowing attackers access to the internal network and resources. Figure 6: Unattended Desk - Sensitive Information The risk of an attacker accessing internal network resources is one of the primary reasons physical security should be a core component of a company’s information security strategy. If, by means of the tactics described above, an intruder now can gain internal access to the network the organization’s crown jewels are threatened. If a company doesn’t have properly implemented network access control (NAC), an unknown device can be assigned an IP address on the internal network, where it will be free to sniff traffic and move laterally in search of useful information. Figure 7: Internal Network - Ethernet Access Or worse – the attacker may now have the ability to essentially cripple a company’s infrastructure. Additionally, setting up external command and control (C2) in the form of a drop device or payload lets an intruder maintain a presence on the network after exiting a facility. Successfully establishing C2 can leave a company in a breached state for weeks or even months after an initial physical compromise. Conclusion Many of the techniques described here are deployed in real world scenarios every day. Information security is no longer a uniquely cyber concern; physical threats can lead to a crippling breach of organizational information and resources. It’s imperative physical security shortfalls be at the forefront of a company’s implemented strategies to strengthen their security posture. By: Aaron Martin Security Consultant | Optiv Aaron Martin is a security consultant in Optiv’s Advisory Services practice on the attack and penetration (A&P) team. Aaron’s role is to provide consulting to Optiv’s clients with expertise in penetration testing. He is an experienced information systems security practitioner who specializes in penetration testing, computer network exploitation and computer network defense. Share: Threat Breach and Attack Simulation PII social engineering Penetration Testing Red Team Security Assessment Copyright © 2021 Optiv Security Inc. All rights reserved. No license, express or implied, to any intellectual property or other content is granted or intended hereby. This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information. Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards. Complaints / questions should be directed to Legal@optiv.com RELATED INSIGHTS BLOG September 10, 2019 ATT&CK Series: Collection Tactics In this post, we will address some of the MITRE ATT&CK’s Collection techniques and tactics, from an attacker’s point of view to harvest organizational... See Details Read more about ATT&CK Series: Collection Tactics BLOG September 02, 2020 DEF CON 2020 Red Team Village Talk - Breaking The Attack Chain Two experienced red teamers describe successful engagements and how to counter attack chains. See Details Read more about DEF CON 2020 Red Team Village Talk - Breaking The Attack Chain BLOG February 26, 2019 Learning the Enemy Perspective Make offensive security games, and regular penetration testing part of your ongoing threat management program and your team will gain knowledge to be ... See Details Read more about Learning the Enemy Perspective How Can We Help? Let us know what you need, and we will have an Optiv professional contact you shortly.