The physical side of information security

The physical side of information security | Pentest

When you think of information security, it can be easy to think about online technology and the threat posed by remote hackers. But information security doesn’t just happen online, there’s a physical aspect as well.

If a malicious threat actor could gain access to your physical workstations, server rooms or data centres then they could potentially gain access to your company crown jewels, the sensitive information and assets that your company relies on to operate.

How could an attacker gain physical entry to your organisation?

There are many ways an attacker can gain entry to sensitive areas of your organisation and the techniques used often rely on human fallibility, the helpful nature of staff and good old-fashioned deception. Below are just a few of the techniques you need to be aware of:

Get staff to take you in, well a USB anyway

USB drops are an easy way to attempt to gain access to a physical site and a USB stick laden with malicious malware, such as a keylogger, can be strategically dropped near a target site. Somewhere likely to be found by an unsuspecting member of staff, taken inside and plugged into a company workstation.

The USB may be labelled with something relevant/interesting such as ‘finance team’ or ‘accounts’, further encouraging the member of staff to act.

If successful, attackers can then monitor activity, looking for vital information such as credentials, which will allow them to attempt further access to the company network.

Impersonate suppliers

Suppliers can often have access to company sites. Just think about your cleaners, building maintenance, vending machine engineers, even sandwich suppliers.

Monitoring a location over several days, potential attackers can start to identify suppliers and patterns in their activity. With a target identified, an attacker can then obtain a suitable uniform, create a plausible backstory and attempt to gain entry. If security is lapse, and the story plausible enough, gaining access can be relatively easy. It’s amazing how far a high viz vest can get you.

Warshipping

It’s not uncommon to have multiple parcels delivered to a site on any one day, and deliveries can range from office supplies right through to employee’s personal Amazon or ASOS orders. But parcels may be delivering more than then you think, they can also be delivering an attack device.

Warshipping is one of the latest attack techniques and comprises of a small, single board computer being placed, or hidden, within a legitimate looking parcel or item (such as a corporate gift). Once inside the desired location, this device can be controlled remotely to perform a range of attacks, such as scanning and cracking wi-fi networks, conducting passive wi-fi attacks or even launching an evil twin network attack.

These devices can be built for less than £100 and attackers will often try to take advantage of popular delivery periods, such as black Friday sales, to ensure their malicious package gets through.

Exposing flaws within front of house procedures and physical security measures

Many companies use physical barriers to restrict access to buildings and visitors usually have to go through a robust process in terms of registration before they are allowed to enter a site. But no matter how robust your procedures, there can be flaws, flaws which attackers can look to exploit.

For example, an attacker may test your front of house procedures, pretending to have a meeting with a member of staff that they know to be offsite on that day. Front of house would usually call up to the relevant department and on hearing that the person is not in, may try to arrange for another member of the team to come down to see the visitor. With a convincing story, this could be an attacker’s entry point.

When it comes to physical security measures, attackers may try to bypass these by tailgating an employee entering legitimately or may take advantage of an event/situation taking place, such as a fire alarm or conference, entering under false pretenses. 

Taking advantage of human kindness

Helpful staff can be an easy route in, and front of house staff are often a prime target, with attackers attempting to coerce them into performing an action that will lead to a compromise of information.

For example, an attacker’s goal may be to get front of house staff to plug in a USB loaded with malware.

To do this, an attacker could pretend to be attending an interview at a company next door, explaining that their CV has been ruined by a passing car going through a puddle. The attacker, wet from the faked splash, may ask front of house staff to help them out and print off a fresh copy from a USB stick, all in the hope that the well-intentioned member of staff will feel sorry for them and oblige.

Physical entry is often just the starting point

As you can see, attackers with the motivation, resources, time and skills can use a variety of techniques to obtain access to physical locations, no site is impenetrable. But gaining entry may only be the starting point.

Once inside, the goal will often be to breach system defenses, establish a foothold on the network and use this to develop a wider attack chain over time. Remember, it’s not just about how an attacker can get in, but also what they can achieve if they do get in.

Physical security and digital information security are therefore intrinsically linked, and both need to be considered to provide effective protection. But what kind of initial measures should you be considering?

Train staff on dangers and tighten procedures

Staff can be your weakest security link, but they can also be your strongest first line of defense.

Ongoing training is essential and it’s important that staff understand the techniques attackers may use, the dangers the company face and the potential consequences of a successful breach.

Employees should feel empowered when it comes to security and should feel able to flag suspicious activity, as well as challenge unknown people/visitors on the premises. A culture of blame is counterproductive, and any suggestion of blame associated to an incident will ultimately damage security improvement efforts.

Processes, especially those around external visitors, should also be a part of this ongoing training and whilst there is always the possibility of error, the more you practice and test processes the tighter they become.

Prevent, or limit, USB use

As we have shown, USBs can be used in various ways by attackers and are often the weapon of choice when it comes to attempting an initial network breach following a successful physical breach of a location.

This can be combated, or limited, by restricting or even preventing USB usage, either through anti-virus software or BIOS settings. By doing so, you greatly reduce the risk of an attacker entering a physical site and successfully plugging in a USB loaded with malicious malware on workstations and laptops.

Strengthen wi-fi network protection

Wi-fi networks often extend beyond the physical boundaries of a site and can be an easy target for attackers with specialist devices. To prevent this, you need to ensure you are using strong passwords on each of your wi-fi networks and consider the use of multifactor authentication and virtual private networks on your most sensitive networks

Tighten privilege levels

When it comes to critical assets, both digital and physical, access should only be granted to those that really need it. Does the front of house need access to financial data or critical intellectual property? Does marketing need access to IT systems? The answer should be no.

Privilege levels can often go years without review, and the more information an employee has access to, the more dangerous the situation if their account was to be breached. By keeping close control over permission levels, you restrict what a member of staff, and ultimately an attacker, can gain access to. Reducing the likelihood of sensitive information falling into the wrong hands.

Segregate your networks

A flat network can be an attacker’s dream and any beach could provide them with easy access to sensitive data, without the need to jump between networks. By segregating your network, you isolate and protect your most important assets more effectively. Making the job of the attacker much more difficult and increasing the chances of their activity being discovered.

Employ multifactor authentication

Requiring two factor authentication to access sensitive documents also makes life much more difficult for a potential attacker and would certainly slow down their efforts in reaching your crown jewels if they were able to access your internal infrastructure.

The more sensitive the data, the more authentication factors you may want to consider, and it’s not uncommon for companies to employ three or even four factor authentication when it comes to extremely critical information.

Tailor your security measures to the risks you face

Not all of the above may apply to your company and any security measures implemented should be tailored to your circumstances. It’s important to identify the risks you face, your weaknesses, your most important assets and then build effective protections around them.

Think of your defenses like a castle. If an attacker was to get through one set of defenses there should be another set waiting for them. This is called defence in depth and the more effective defences you have in place throughout the business, the more difficult you make it for attackers to gain access.

Put your defenses to the test
Employing defensive measures is essential, however, how do you know if they are truly effective? You need to test them, both in isolation and as part of a real-life attack simulation.

Having your security work tested can seem like a daunting prospect and it can be easy to think that it’s going to belittle or ridicule your security efforts. But that’s not the case. Security testing, such as penetration testing and red teaming is here to support your efforts, ensuring that your business is as protected as it can be and allowing you to make informed decisions about your next steps.

share this post

Share on linkedin
Share on twitter
Share on facebook
Share on reddit