Companies spend millions of dollars to protect their data in the forms of firewalls, antiviruses, spam filters, web content filters, multi-factor authentication, and so on. But what about physical security?
Most companies will have a badge system to grant employees access to the facility. Main entrances will have a receptionist or sometimes a security guard to check in visitors and to stop unknown people from entering. Security cameras will be present around the building. What happens when an unauthorized person can bypass the front lines of physical security?
Do your employees leave their computers unlocked?
Figure 1 – Example of Leaving Your Computer Unlocked (Don’t Do This Unless You Want a New Cialis Prescription)
What about leaving sensitive paperwork out on the desk?
Figure 2 – Example of Too Many Sensitive Documents Left Unattended (in a Very Organized Manner)
Will your employees challenge someone they do not recognize? While security awareness training can be useful, it seems that most employees feel like it’s not their job to stop and question an unknown person. If this person is past the badge system, security guards, and receptionists, they must belong here . . . right?
I was once on a physical penetration test where I had been in the building for a couple hours, long enough that I passed the same security guard so many times that we were on a first name basis and had full conversations. At that point, according to him, I did belong there, even though he had never seen me before that day. Employees would let me walk up to their desk, sit down at their computers, plug in USBs, run scripts, and then walk away. All because the “new IT guy” was tracking down a problem on the network. Security awareness training, in that case, was completely ineffective.
I have also been on several physical penetration tests where I bypassed several layers of security before being stopped and questioned by normal employees. These were just friendly, outgoing employees that wanted to introduce themselves, but became suspicious from my dialog. Security education and awareness win!
Training employees should not be a once-and-done style of training, but more of an ongoing, consistent reminder to all employees. It should also be fun for employees, encouraging them to want to participate. It should also be easy for the employees. Confronting someone goes against human nature. Having one phone number that they can call, and know to call, can help with this. I’ve seen corporations that have introduced an award system for their “See Something, Say Something” security program. This would award employees with gift cards or some other reward for pointing out security violations.
At TrustedSec, we conduct security education and awareness training sessions for clients that prefer to have it performed by a third-party company. We try to keep it fun yet shocking to employees. Some of my favorite training sessions are where I have performed a physical or social engineering test for a company first, and then I am able to incorporate some of their real data and pictures into the training. This shows the employees how important the training and awareness really is, because yes, it can happen to them also.
In Part Two of the continuation of this blog, I will discuss physical security controls and how they are typically misconfigured. This can ultimately lead to attackers and unauthorized personnel accessing buildings, rooms, equipment, and employees. I will also discuss the safety of employees and how corporate data is at risk, as well as how security education and awareness really is every employee’s duty!
Author: Paul Koblitz
Paul Koblitz is a Senior Security Consultant for TrustedSec. His expertise in physical and social engineering security has been honed over the years by using every opportunity possible to further develop his craft. It is not uncommon for Paul to be shopping and ask to talk to a store manager about how their security could be better by different camera placements. Paul recently assumed the role of Team Lead for TrustedSec’s Incident Response team. This job entails managing 3 other employees and heading the Incident Response practice. Paul also has extensive networking experience having worked for several years as a desktop support technician, a NOC operator, a head end engineer, and a network engineer in the US Navy and for a local cable company.