Your facilities are most likely vulnerable to a physical intrusion. This is not an indictment of any organization’s security program. If intruders have enough time and are motivated, they most likely can break into a building, even one that has security measures in place. Nonetheless, it is important to identify physical vulnerabilities before they lead to an intrusion, especially those that could lead to a compromise of your crown jewels.

I know firsthand how attackers may leverage weaknesses to break inside their target. My team, X-Force Red, is a team of hackers. We specialize in applying our hacker mindset and tools to emulate attackers and find companies’ physical and digital vulnerabilities. On various testing engagements, I have slipped past door staff by cloning badges or donning disguises. I have tricked employees into holding doors open and giving me access to conference rooms (it’s amazing what a box of donuts can do).

While the physical weaknesses of an organization vary, they tend to fall into similar buckets based on the environment. Dense urban versus rural locations, shared versus dedicated buildings, large versus small workforce and guarded versus unguarded entry points are factors that can impact an organization’s exposure level.

Register for Red Con 2021

Gaining Access

Attackers’ strategies vary, although they oftentimes begin the same way. Most will conduct online, public data searches of the target followed by some degree of on-site reconnaissance (‘casing the joint’).

Depending on what they discover, their goal and the time involved, attackers may then execute social engineering attacks during business hours and/or physical intrusion attempts after hours. Under some pretext, an attacker may be able to enter your premises in the middle of the business day without being stopped. Perhaps they can blend in with a small group and sneak through the front door. Maybe they discover that smokers use a back entrance for breaks, which then enables them to use a portable device to ‘sniff’ and clone a radio-frequency identification badge or sneak back in with an employee returning to work. They may discover which third-party contractors a company uses and pose as one of their employees. Or they may bypass locks to break in at night.

Once inside, if no one stops them, the attackers can move around freely, accessing sensitive systems and stealing information at their leisure. They may insert USB drives into workstations or plant a rogue device onto a network. Other attacks may include USB drops containing malware or phishing and vishing attempts, all of which could result in a compromise under the right conditions.

Preventing Unauthorized Access

So, how can companies build and maintain a strong physical security program? One step is to conduct regular security awareness training to ensure employees follow proper processes and adhere to policies. Implementing strong access and other controls can also be beneficial, although too often these controls are presumed adequate and remain untested. It is important to test your operational and physical security to both validate that the controls and processes perform as expected and to uncover and fix vulnerabilities before attackers can find them. After all, implementing a security program is only one-half of the equation. Putting it to the test where you can ensure you are gaining the most bang for your buck is the other half.

If you are interested in watching a demonstration of the tools used to unlock doors and get inside facilities (legally, of course), register to attend the second annual virtual Red Con 2021. On Sept. 29, IBM X-Force Red’s team of hackers, researchers and responders will present research-focused and topical talks related to attack tools, cloud vulnerabilities, physical break-ins and more.

Register here

More from Risk Management

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…