Physical Security: Defending Your Realm
Frequently, the importance and value of having effective physical security defences is under appreciated by business. Your attackers will not only seek to steal your data by launching an attack from 'Cyber Space', when they could cause far more damage by gaining unauthorised access into the confines of your places of work (e.g. office premises, or your employees' home office).
Why invest all that time and effort breaking in through your web applications or perimeter firewalls, if they are able to simply walk in off the street and attack you from within and employing a $30 device purchased from the internet or to brazenly walk out (over the lunch hour) with half a dozen mobile devices (e.g. laptops, tablets, smartphones, etc.)?
A social engineered attack is only limited by the attacker's imagination and confidence. If you don't think this is a real risk, think again. It has been reported that more than 1 in 10 data breaches now involve “physical actions”, which include leveraging physical devices to aid an attack and breaking into hardware, as well as remote attacks on physical infrastructure.
As a child, we are often told stories that involve elements of social engineering (e.g. Snow White (poisoned apple), Red Riding Hood (Wolf masquerading as Grandma), Pinocchio (Fox & Cat), Chitty Chitty Bang Bang (Child Catcher), etc.).
However, as adults, we forget the risks that are presented from physical security attacks and with businesses failing to remind their employees of the inherent dangers from social engineering attacks and primarily focus their efforts on defending themselves from 'Cyber Space' attacks.
If an organisation has invested a great deal of money in implementing physical security defences, wouldn't it be wise to ensure that the human element interacting with these defences are not undermining this physical infrastructures, as per their design?
Remember, If it is convenient for your employees, it is even more convenient for your opportunist attackers!
Why go through the front door, when you can access through the 'convenient' side access (perhaps tagging onto the smokers' break times)?
Once inside the confines of a building or site perimeter, everyone tends be treated as a 'friendly' so it is highly unlikely that you are going to be challenged by anyone (whether your visibly wearing an identification badge, or not!). Consequently, breaching the physical perimeter is the priority no.1 for your attackers, enabling them to more laterally within your business and to identify potential internal areas of interest.
Your attackers will use every means available to them, to gain unauthorised physical access to your inner sanctums and being able to gain an air of authority and credibility becomes an essential part of a successful attack. As an organisation, we gift them the opportunity to succeed by providing them with a wealth of freely available information. During your attacker's planning & preparations, they will dedicate a great deal of time and effort to carrying out reconnaissance of your company, so that they are able to formulate an intelligence pyramid that they can use for their cover stories.
Based upon the Open Source information available to them, through the corporate websites, social media, etc. they will then start to identify those employees that will provide them with the greatest plausibility and add credibility to their cover stories.
Armed with this intelligence, they will then attempt to gain access into your establishment. Consequently, you need to ensure that you have effective physical layers in place that get progressively more difficult as the attacker starts to peel back those layers. Think of your physical security infrastructure as being like the layers of an onion and with your most valuable assets laying at the heart of the onion.
Within the PCI DSS integrated controls framework, there is a requirement to ensure that appropriate physical access controls are in place. Failure to apply appropriate physical access restrictions can have a detrimental impact on other PCI DSS controls and increase the risk of a data breach, or network compromise.
1.1.2 - Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks.
1.2.3 - Install perimeter firewalls between all wireless networks and the cardholder data environment.
2.1.1 - For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings.
11.1 - Quarterly Wireless checks for rogue devices.
During your quarterly checks, you confirm that all of these controls are in place and effective - Tick. One week later, your attacker uses social engineering to circumvent your physical security measures and manages to install a clandestine rogue wireless device, such as a WiFi Pineapple, and your network/data is compromised.
Despite all your efforts to ensure that all the aforementioned controls were being adhered to, you still were not compliant at the time of the compromise/breach and all due to the fact that your physical security measures were not appropriate. However, you are responsible for ensuring that the physical security measures are appropriate.
What is deemed to be appropriate?
You may have had all the required physical security infrastructure in place but these had succumbed to the failings of the 'Human Factor' and one, or more, of your employees had succumbed to the guile of your attacker. Now this could have been the result of a direct between your employee and attacker or even the consequence of an indirect action, where the employee had failed to protect their proximity electronic automated access control system (EAACS) proximity card reader, whilst in a public place, and the attacker had taken the opportunity to create a clone of their card, allowing them unchallenged access through your establishment.
It is evident that physical security and cyber/information security have a strong dependency on each other. Consequently, it is essential that you carry out independent checks of the effectiveness of your physical layers of defence, through the eyes of an attacker, so that you can identify the potential opportunities for circumventing each layer. You should score your physical security measures, based upon which layer they support.
Heart of the Onion
Security rating of the Containers X Security rating of the locks.
Security rating of the room X Security rating of the access controls (e.g. Doors, Windows, Frames, etc.) X Security rating of the locking mechanism.
Security rating of the building X Security rating of the access control measures.
Security rating of the control of entry to building/area/site X security rating of the visitor control process.
Security rating of the patrols X Security rating of the intruder detection system IDS).
Security rating of the access control X Security rating of the CCTV system.
Security rating of the perimeter fence X Security rating of the gates.
Security rating of the patrols X Security rating of the perimeter intruder detection system PIDS).
Security rating of the CCTV system.
Security rating of the lighting.
Next, ensure that all your employees receive periodic security awareness training, to remind them of the dangers of social engineering and the importance physical security plays in the protection of the organisation's sensitive data operations.
Finally, currently PCI DSS does not mandate periodic physical security (social engineering) testing. However, I would recommend that you consider the benefits of incorporating this into your annual penetration testing regime to help to ensure that you are testing your networks, applications and human aspects of your security defences.
As you may now appreciate, the appropriateness of your physical security measures is an essential component of any organisation's cyber/information strategy and this needs to be effectively implemented, tested and managed to ensure that your critical business assets are not vulnerable to opportunist attackers, who seek to exploit vulnerabilities in the architecture design or user experience.
Much like cyber/information security, the appropriateness of your physical security measures requires a combination of Technology (Secure rooms, Locks, Half pedestal barriers, Security doors, etc.), People (authorised and approved access) & Process (not undermining the effectiveness of the technologies, e.g. Allowing tailgating, sharing access passes, etc.).
Wouldn't YOU prefer find out that your physical security measures remain appropriate, before your attacker identifies this for you?
Imagine the impact of discovering that your expected operational requirements for your CCTV/IDS did not deliver what you needed or that your EAACS had been installed incorrectly, so that armed with just a cross-head screwdriver an attacker could bypass the locking mechanism, just by removing the mounting plate for the electro-magnetic lock.