Physical Security Assessments – A Pillar of Information Security

Often overlooked in a company’s implemented information security strategies are the threats posed by weaknesses in its physical security posture. Countless companies fail to bridge cyber and physical threats, and well-versed attackers can leverage this gap to gain unauthorized access to facilities, taking control of systems and data that may have otherwise been protected in the cyber realm.

To stay one step ahead, it’s important to get inside the mind of a would-be attacker to identify exploitable, and in some cases, devastating holes in an organization’s physical security.

Reconaissance

One of the most important steps in the initial phases of a physical penetration test is gathering as much open source intelligence as possible on the target company. This critically includes gathering pictures and aerial imagery, available from sites like Google Maps and Bing. This can provide insight into ingress/egress points, security camera placement and even more detailed information, such as potential badging system technology (which we will cover in depth below). Additionally, in real world scenarios, sites like Facebook, Instagram and Linkedin provide information like high-quality employee badge photos, which can be useful for replication and assimilating within the environment during subsequent phases of testing.

Passive reconnaissance phase lays the groundwork and helps develops avenues of approach for entry into the target building.

Next, it’s imperative to conduct on-site reconnaissance to confirm findings from the passive research phase and develop new strategies for potential access. These include identifying locking mechanisms on doors and observing the site’s security controls, which may include roving security patrols, cameras not identified during passive reconnaissance, and man-trap or anti-tailgating mechanisms.

During this phase of active reconnaissance, it’s important not to draw suspicion, so avoid lingering on premises and taking pictures via a vehicle when possible. Inspecting locking mechanisms and badging technology by foot should be conducted outside of normal company operating hours and only after a pattern of life on potential security personnel has been established.

Methods of Entry

Assessing all doors and locking mechanisms during reconnaissance helps tailor the attack to the specific circumstances.

Badging technology readers and cards can leverage low (125 kHz) or high (13.56 MHz) frequencies. Legacy low-frequency technology is susceptible to badge cloning due to lack of encryption and authentication of badge data. Publicly available cloning tools such as the proxmark3 and long range readers provide easy access for attackers to take advantage of this dated technology.

With a long-range reader, a potential intruder need be within just 12-18 inches to surreptitiously read the unencrypted data unique to an individual card. The proxmark3 can then fully replicate this data onto a new card, giving an attacker unauthorized access to company facilities. This scenario plays out time and time again as employees frequently carry badges around lanyards and expose them outside secured areas.

Attackers can also bypass locking mechanisms and enter a building through forced entry. Although this sort of entry presents greater risk to the intruder, it typically requires no interaction with employees, and outside normal operating hours the attacker can use door bypass tools such as a sparrow mini jim or an under the door tool (UDT).

Other options include canned air, which, if sprayed at a Request to Exit (REX) sensor (typically found on the interior ceiling of sliding glass doors) can simulate an employee exiting, triggering the sensor and opening the doors.

If surreptitious entry and badge cloning aren’t feasible, another effective tactics involves targeting employees and tailgating them into ingress/egress points devoid of mantraps.

Early morning, lunch and end of day are typically great opportunities to tailgate, as employees are often in a rush and not as likely to question someone using their access to the enter a building. Again, it’s important to identify badge layout during initial recon; this helps the intruder assimilate with the environment by creating a badge that, although it may not contain valid data, will still deflect suspicion while on premises.

Lastly, the commonly used pretexting technique involves direct interaction with employees of a target company to gain unauthorized access. Pretexting leverages information gained during reconnaissance to either pose as a known contractor (such as an ISP), a utility worker or some other known affiliated third party. Coupled with strategic knowledge of the target facility, duping a front-desk employee to gain unauthorized (and sometimes unrestricted) access to a building under the pretext of a work order can have grave consequences, as we’ve seen in many real-world attacks. Since pretexting requires face-to-face social engineering in order to trick an employee into granting access, an unsuccessful attempt can raise suspicion. It’s therefore regarded as a tertiary means of entry; still, it’s a necessary element of the physical pen test because employees remain the most glaring weakness in many organizations’ security posture.

Post-Exploitation

The next phase of a physical penetration test is arguably the most important.

If access is gained after hours, simply searching employee desks (unless the organization has a closely followed clean-desk policy) will often yield personally identifiable information (PII) at the least, and in some cases bank account information or customer data. Weak or absent shred policies are also a gold mine for intruders. Facilities typically should have secured containers for shred bags and loose paper but often these are left desk-side, allowing for triage of potentially sensitive data. Finally, it isn’t uncommon for employees to store paper with logon credentials around their desk, allowing attackers access to the internal network and resources.

The risk of an attacker accessing internal network resources is one of the primary reasons physical security should be a core component of a company’s information security strategy. If, by means of the tactics described above, an intruder now can gain internal access to the network the organization’s crown jewels are threatened. If a company doesn’t have properly implemented network access control (NAC), an unknown device can be assigned an IP address on the internal network, where it will be free to sniff traffic and move laterally in search of useful information.

Or worse – the attacker may now have the ability to essentially cripple a company’s infrastructure. Additionally, setting up external command and control (C2) in the form of a drop device or payload lets an intruder maintain a presence on the network after exiting a facility. Successfully establishing C2 can leave a company in a breached state for weeks or even months after an initial physical compromise.

Conclusion

Many of the techniques described here are deployed in real world scenarios every day. Information security is no longer a uniquely cyber concern; physical threats can lead to a crippling breach of organizational information and resources. It’s imperative physical security shortfalls be at the forefront of a company’s implemented strategies to strengthen their security posture.