Your facilities are most likely vulnerable to a physical intrusion. This is not an indictment of any organization’s security program. If intruders have enough time and are motivated, they most likely can break into a building, even one that has security measures in place. Nonetheless, it is important to identify physical vulnerabilities before they lead to an intrusion, especially those that could lead to a compromise of your crown jewels.

I know firsthand how attackers may leverage weaknesses to break inside their target. My team, X-Force Red, is a team of hackers. We specialize in applying our hacker mindset and tools to emulate attackers and find companies’ physical and digital vulnerabilities. On various testing engagements, I have slipped past door staff by cloning badges or donning disguises. I have tricked employees into holding doors open and giving me access to conference rooms (it’s amazing what a box of donuts can do).

While the physical weaknesses of an organization vary, they tend to fall into similar buckets based on the environment. Dense urban versus rural locations, shared versus dedicated buildings, large versus small workforce and guarded versus unguarded entry points are factors that can impact an organization’s exposure level.

Gaining Access

Attackers’ strategies vary, although they oftentimes begin the same way. Most will conduct online, public data searches of the target followed by some degree of on-site reconnaissance (‘casing the joint’).

Depending on what they discover, their goal and the time involved, attackers may then execute social engineering attacks during business hours and/or physical intrusion attempts after hours. Under some pretext, an attacker may be able to enter your premises in the middle of the business day without being stopped. Perhaps they can blend in with a small group and sneak through the front door. Maybe they discover that smokers use a back entrance for breaks, which then enables them to use a portable device to ‘sniff’ and clone a radio-frequency identification badge or sneak back in with an employee returning to work. They may discover which third-party contractors a company uses and pose as one of their employees. Or they may bypass locks to break in at night.

Once inside, if no one stops them, the attackers can move around freely, accessing sensitive systems and stealing information at their leisure. They may insert USB drives into workstations or plant a rogue device onto a network. Other attacks may include USB drops containing malware or phishing and vishing attempts, all of which could result in a compromise under the right conditions.

Preventing Unauthorized Access

So, how can companies build and maintain a strong physical security program? One step is to conduct regular security awareness training to ensure employees follow proper processes and adhere to policies. Implementing strong access and other controls can also be beneficial, although too often these controls are presumed adequate and remain untested. It is important to test your operational and physical security to both validate that the controls and processes perform as expected and to uncover and fix vulnerabilities before attackers can find them. After all, implementing a security program is only one-half of the equation. Putting it to the test where you can ensure you are gaining the most bang for your buck is the other half.

If you are interested in watching a demonstration of the tools used to unlock doors and get inside facilities (legally, of course), register to attend the second annual virtual Red Con 2021. On Sept. 29, IBM X-Force Red’s team of hackers, researchers and responders will present research-focused and topical talks related to attack tools, cloud vulnerabilities, physical break-ins and more.