Your facilities are most likely vulnerable to a physical intrusion. This is not an indictment of any organization’s security program. If intruders have enough time and are motivated, they most likely can break into a building, even one that has security measures in place. Nonetheless, it is important to identify physical vulnerabilities before they lead to an intrusion, especially those that could lead to a compromise of your crown jewels.

I know firsthand how attackers may leverage weaknesses to break inside their target. My team, X-Force Red, is a team of hackers. We specialize in applying our hacker mindset and tools to emulate attackers and find companies’ physical and digital vulnerabilities. On various testing engagements, I have slipped past door staff by cloning badges or donning disguises. I have tricked employees into holding doors open and giving me access to conference rooms (it’s amazing what a box of donuts can do).

While the physical weaknesses of an organization vary, they tend to fall into similar buckets based on the environment. Dense urban versus rural locations, shared versus dedicated buildings, large versus small workforce and guarded versus unguarded entry points are factors that can impact an organization’s exposure level.

Register for Red Con 2021

Gaining Access

Attackers’ strategies vary, although they oftentimes begin the same way. Most will conduct online, public data searches of the target followed by some degree of on-site reconnaissance (‘casing the joint’).

Depending on what they discover, their goal and the time involved, attackers may then execute social engineering attacks during business hours and/or physical intrusion attempts after hours. Under some pretext, an attacker may be able to enter your premises in the middle of the business day without being stopped. Perhaps they can blend in with a small group and sneak through the front door. Maybe they discover that smokers use a back entrance for breaks, which then enables them to use a portable device to ‘sniff’ and clone a radio-frequency identification badge or sneak back in with an employee returning to work. They may discover which third-party contractors a company uses and pose as one of their employees. Or they may bypass locks to break in at night.

Once inside, if no one stops them, the attackers can move around freely, accessing sensitive systems and stealing information at their leisure. They may insert USB drives into workstations or plant a rogue device onto a network. Other attacks may include USB drops containing malware or phishing and vishing attempts, all of which could result in a compromise under the right conditions.

Preventing Unauthorized Access

So, how can companies build and maintain a strong physical security program? One step is to conduct regular security awareness training to ensure employees follow proper processes and adhere to policies. Implementing strong access and other controls can also be beneficial, although too often these controls are presumed adequate and remain untested. It is important to test your operational and physical security to both validate that the controls and processes perform as expected and to uncover and fix vulnerabilities before attackers can find them. After all, implementing a security program is only one-half of the equation. Putting it to the test where you can ensure you are gaining the most bang for your buck is the other half.

If you are interested in watching a demonstration of the tools used to unlock doors and get inside facilities (legally, of course), register to attend the second annual virtual Red Con 2021. On Sept. 29, IBM X-Force Red’s team of hackers, researchers and responders will present research-focused and topical talks related to attack tools, cloud vulnerabilities, physical break-ins and more.

Register here

More from Risk Management

Remote Employees: Update Your Routers (and More WFH IT Tips)

As a business owner or manager, you must ensure your employees have the right tools and resources to do their jobs well — especially with more people working from home. And IT infrastructure is one of the most important considerations regarding remote work.However, the truth is that most employees don’t think about their IT infrastructure until something goes wrong. In many cases, this can leave an employee stranded and unable to complete their tasks. In a worst-case scenario, this reactionary…

The Role of Human Resources in Cybersecurity

The human resources (HR) department is an integral part of an organization. They work with all departments with a wider reach than even IT. As a highly visible department, HR can support and improve an organization’s security posture through employee training. Their access to employees at the start of employment is an opportunity to lay a foundation for a culture of risk awareness. HR departments do not typically include cybersecurity risk awareness training with new hire onboarding, but it’s something…

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…