September 15, 2021 By Shawn Pearcy 3 min read

Your facilities are most likely vulnerable to a physical intrusion. This is not an indictment of any organization’s security program. If intruders have enough time and are motivated, they most likely can break into a building, even one that has security measures in place. Nonetheless, it is important to identify physical vulnerabilities before they lead to an intrusion, especially those that could lead to a compromise of your crown jewels.

I know firsthand how attackers may leverage weaknesses to break inside their target. My team, X-Force Red, is a team of hackers. We specialize in applying our hacker mindset and tools to emulate attackers and find companies’ physical and digital vulnerabilities. On various testing engagements, I have slipped past door staff by cloning badges or donning disguises. I have tricked employees into holding doors open and giving me access to conference rooms (it’s amazing what a box of donuts can do).

While the physical weaknesses of an organization vary, they tend to fall into similar buckets based on the environment. Dense urban versus rural locations, shared versus dedicated buildings, large versus small workforce and guarded versus unguarded entry points are factors that can impact an organization’s exposure level.

Register for Red Con 2021

Gaining Access

Attackers’ strategies vary, although they oftentimes begin the same way. Most will conduct online, public data searches of the target followed by some degree of on-site reconnaissance (‘casing the joint’).

Depending on what they discover, their goal and the time involved, attackers may then execute social engineering attacks during business hours and/or physical intrusion attempts after hours. Under some pretext, an attacker may be able to enter your premises in the middle of the business day without being stopped. Perhaps they can blend in with a small group and sneak through the front door. Maybe they discover that smokers use a back entrance for breaks, which then enables them to use a portable device to ‘sniff’ and clone a radio-frequency identification badge or sneak back in with an employee returning to work. They may discover which third-party contractors a company uses and pose as one of their employees. Or they may bypass locks to break in at night.

Once inside, if no one stops them, the attackers can move around freely, accessing sensitive systems and stealing information at their leisure. They may insert USB drives into workstations or plant a rogue device onto a network. Other attacks may include USB drops containing malware or phishing and vishing attempts, all of which could result in a compromise under the right conditions.

Preventing Unauthorized Access

So, how can companies build and maintain a strong physical security program? One step is to conduct regular security awareness training to ensure employees follow proper processes and adhere to policies. Implementing strong access and other controls can also be beneficial, although too often these controls are presumed adequate and remain untested. It is important to test your operational and physical security to both validate that the controls and processes perform as expected and to uncover and fix vulnerabilities before attackers can find them. After all, implementing a security program is only one-half of the equation. Putting it to the test where you can ensure you are gaining the most bang for your buck is the other half.

If you are interested in watching a demonstration of the tools used to unlock doors and get inside facilities (legally, of course), register to attend the second annual virtual Red Con 2021. On Sept. 29, IBM X-Force Red’s team of hackers, researchers and responders will present research-focused and topical talks related to attack tools, cloud vulnerabilities, physical break-ins and more.

Register here

More from Risk Management

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Roundup: The top ransomware stories of 2024

2 min read - The year 2024 saw a marked increase in the competence, aggression and unpredictability of ransomware attackers. Nearly all the key numbers are up — more ransomware gangs, bigger targets and higher payouts. Malicious ransomware groups also focus on critical infrastructure and supply chains, raising the stakes for victims and increasing the motivation to cooperate.Here are the biggest ransomware stories of 2024.Ransomware payments reach record highRansomware payments surged to record highs in 2024. In the first half of the year, victims…

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today