You should be
With all the focus on IT security, businesses sometimes forget that not every security breach involves technology. In fact, some of the most successful security breaches don’t involve computers at all.
Throughout our security testing we’ve discovered that many businesses have completely ignored physical security and wouldn’t even notice if someone walked out the door with all of their critical information.
The other side of physical security
Ask an IT person think about physical security they’ll probably say something about camera systems and key card locks. Ask others in the business and you might get comments about security guards and traffic bollards.
All of these things are components of physical security and can be effective if used properly. But almost everyone overlooks the most important component of physical security. No one ever replies with “training.”
Which is unfortunate, because training is the only effective protection against many physical security breaches.
Social engineering
The majority of successful physical breaches are based on social engineering, which can basically be thought of as “people hacking.”
Attackers might be attempting to gain access to install key loggers or similar software on office computers with a thumb drive, or they might try to walk out with disks or paperwork that contains sensitive information. In either case they’re have to get past people, not firewalls.
Social engineering attacks can be as simple as timing their entry into a building with employees to get someone to hold the door open for them since they don’t have a key card.
Even an attacker coming in through the front door can just smile, nod, and act like they belong and they can easily gain entry to critical areas. No one gives someone dressed like a repairman a second look when they walk through the front door and maybe not even later on when they see them strolling out of a filing room with a box in tow.
It’s not about creating paranoia
Well trained and experienced gatekeepers (receptionists, security guards, etc) should already be asking good questions that can de-fang many social engineering attacks. In most cases these are just normal gatekeeper questions that aren’t specific to physical security.
“You’re here to repair a copier? Let me tell our IT Manager you’re here.”
Simply having a policy requires visitors to be initially met and escorted by an employee can help to prevent breaches through the front door.
But what if someone is already in the building?
Instead of focusing on creating paranoia, encourage your employees to be helpful and ask questions. Most people actually consider it to be polite when you introduce yourself and ask about what they’re up to today.
At worst, you’ll figure out the person isn’t supposed to be there. At best, you’ll make a new friend or business contact.
It also helps to have a central contact for reporting suspicious behavior. That might be the security desk if your business has guards. Employees need to have a clear idea of who they need to contact if they see something abnormal.
Again, this doesn’t have to be uncomfortable or overly paranoid. It could be as simple as “Hey Bob, I saw a salesperson wandering around over by the finance group. You might send someone over to help them.”
The most important component in creating this type of culture is to keep talking about security. Regularly remind employees that “We have stuff here that other people might want and we need to protect.” Make sure they know what to do if they encounter something or someone that seems out of place.
Keeping physical security top of mind will be as good an investment as all the firewalls and anti-virus software you purchased
Social Engineering Engagement
Similar to technical assessments, Rhino Security Labs utilizes a structured series of steps in social engineering campaigns for structured, repeatable assessments. This step-by-step format ensures consistency in key areas, while providing flexibility in the specific pretext and scenarios created. This customization helps ensure a successful, effective engagement.
While less well-known than email or phone social engineering, Rhino Security’s on-site assessments utilize specialized security professionals to perform engagements in person. Specific techniques include ‘baiting’ the area with infected USB drives, tailgaiting employees through locked doors, and creating fake company badges to gain access to sensitive areas.