September 15, 2021 By Shawn Pearcy 3 min read

Your facilities are most likely vulnerable to a physical intrusion. This is not an indictment of any organization’s security program. If intruders have enough time and are motivated, they most likely can break into a building, even one that has security measures in place. Nonetheless, it is important to identify physical vulnerabilities before they lead to an intrusion, especially those that could lead to a compromise of your crown jewels.

I know firsthand how attackers may leverage weaknesses to break inside their target. My team, X-Force Red, is a team of hackers. We specialize in applying our hacker mindset and tools to emulate attackers and find companies’ physical and digital vulnerabilities. On various testing engagements, I have slipped past door staff by cloning badges or donning disguises. I have tricked employees into holding doors open and giving me access to conference rooms (it’s amazing what a box of donuts can do).

While the physical weaknesses of an organization vary, they tend to fall into similar buckets based on the environment. Dense urban versus rural locations, shared versus dedicated buildings, large versus small workforce and guarded versus unguarded entry points are factors that can impact an organization’s exposure level.

Register for Red Con 2021

Gaining Access

Attackers’ strategies vary, although they oftentimes begin the same way. Most will conduct online, public data searches of the target followed by some degree of on-site reconnaissance (‘casing the joint’).

Depending on what they discover, their goal and the time involved, attackers may then execute social engineering attacks during business hours and/or physical intrusion attempts after hours. Under some pretext, an attacker may be able to enter your premises in the middle of the business day without being stopped. Perhaps they can blend in with a small group and sneak through the front door. Maybe they discover that smokers use a back entrance for breaks, which then enables them to use a portable device to ‘sniff’ and clone a radio-frequency identification badge or sneak back in with an employee returning to work. They may discover which third-party contractors a company uses and pose as one of their employees. Or they may bypass locks to break in at night.

Once inside, if no one stops them, the attackers can move around freely, accessing sensitive systems and stealing information at their leisure. They may insert USB drives into workstations or plant a rogue device onto a network. Other attacks may include USB drops containing malware or phishing and vishing attempts, all of which could result in a compromise under the right conditions.

Preventing Unauthorized Access

So, how can companies build and maintain a strong physical security program? One step is to conduct regular security awareness training to ensure employees follow proper processes and adhere to policies. Implementing strong access and other controls can also be beneficial, although too often these controls are presumed adequate and remain untested. It is important to test your operational and physical security to both validate that the controls and processes perform as expected and to uncover and fix vulnerabilities before attackers can find them. After all, implementing a security program is only one-half of the equation. Putting it to the test where you can ensure you are gaining the most bang for your buck is the other half.

If you are interested in watching a demonstration of the tools used to unlock doors and get inside facilities (legally, of course), register to attend the second annual virtual Red Con 2021. On Sept. 29, IBM X-Force Red’s team of hackers, researchers and responders will present research-focused and topical talks related to attack tools, cloud vulnerabilities, physical break-ins and more.

Register here

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today