Don’t neglect physical security, expert penetration testers say

Innumerable threats may lurk in cyberspace. But sometimes the old-fashioned approach is the one to watch out for.

Expert penetration testers—professionals who go incognito to test the security preparedness of their clients—told IT Brew that sloppy physical security hygiene can undermine digital defenses. That’s particularly important for organizations that handle valuable data or goods.

It is “incredibly easy to break into places whenever it comes to physical security,” John Strand, the owner of Black Hills Information Security, told IT Brew. “Because all you really need to do is develop a proper narrative and proper authority to actually be there.”

Strand and Alethe Denis, a senior security consultant at Bishop Fox and DefCon 27 social engineering Black Badge winner, emphasized physical security is not just about protecting against intruders but insider threats.

Insider threats. Mr. Robot-style antics involving hackers breaking in, slipping past guards, and frantically typing code into a terminal while looking over their shoulders may be the realm of fiction. But, as Strand noted, techniques used by convicted spies often rely on the same kind of physical security gaps exploited by more mundane actors, like college-campus IP thieves.

At many organizations, Strand said, “there is no physical security once you get ingress into a building itself.”

There is a “tremendous underestimation” of the amount of damage that can be caused by a physical breach, Denis said. As with a digital breach, it may take the target a considerable amount of time to realize something went wrong—assuming they do at all.

“If someone were to gain access to a sensitive area, or…drop a USB with some malicious code or scripting on that device, the things may not happen immediately, the results of that attack may not be evident immediately,” Denis told IT Brew. “But they can be devastating, especially to small and medium businesses, which [are] oftentimes very lacking physical security controls, policies, procedures, etc.”

Taking physical security seriously. Outside the defense and intelligence realm, according to Strand, the most secure institutions tend to be investment and legal firms—where reputation around information security is all-important to retaining clients. But sometimes that concern about reputation runs the other way, such as an infamous incident in Iowa where two pen testers were arrested entering an unsecured courthouse at night (charges were later dropped).

“The biggest concern out of that for many law enforcement agencies was how do we actually make sure that this type of test doesn’t happen again; it wasn’t the concern that they were able to easily break into a courthouse and have full access,” Strand told IT Brew.

Denis identified some of the biggest physical security lapses as theft of documents and IP, lost and stolen credentials, and failure to verify if visitors and vendors have authorization to enter employees-only areas. Attempts to overcome physical security during daylight hours while staff are present are more common “than maybe we realize,” Denis said.

Denis emphasized that organizations that handle sensitive data should not allow credential sharing or “circumventing the processes and procedures around physical access,” and they should log physical entry alongside network access. Other basic steps include ensuring physical access cards are returned by fully remote or former employees, applying least privileged access models for network users, and enabling multi-factor authentication wherever possible.

“These things are not impermeable [or] impenetrable, but they do add an extra layer of protection,” Denis told IT Brew.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.