Imagine that you’ve been tasked to secure a server storing restricted information. Some of the tools you will use might include: AI-powered endpoint protection solution, Next-Generation Firewall, network segregation, privileged accounts, MFA etc. Voila! It’s now secure.
You go home happy with a sense of accomplishment only to discover the next morning that someone walked in to the office and took out the drive with that precious data (which may trigger heavy financial losses) and walked away… Brutal!
Else, it can be the same person walking in to the office (delivery person or contractor) and connecting to the corporate network (someone should have a password written down somewhere) to get access to confidential information. Seems like a utopia?
Maybe, but not for Sony Pictures who were “forced to disable their corporate network after attackers calling themselves the GOP (Guardians of Peace) hijacked employee workstations” after the group was able to get physical access to internal network at Sony, according to CSO Online.
Believe it or not, physical safety measures are often overlooked when the organization considers cyber security. Under the assumption that cyber threats come from the digital highway of cyberspace, companies prefer to focus on managing the technological controls rather than covering all areas of security.
This post will help to consider the importance of physical security threats that are often overlooked and measures to address those.
Let’s start from the bottom line!
Why does physical security matter?
Some people might not remember that, but from the early days (before the days of interconnected devices and systems), physical security was the primary way to secure an organization’s assets. Companies used physical locks and high fences for protection against unauthorized access.
However, with the technological advancements, new ways to gain unauthorized access to an organization’s assets were developed. With this in mind, many organizations have forgone the importance of physical measures and have shifted focus to technological ones.
Although physical security and cyber security can be considered as completely separate practices, their core purpose is the same: protect data, assets, ensure safety reliability and safeguard reputation. To achieve these goals, it is essential to ensure that an effective risk assessment is carried out for the industry the business operates in.
It is not a surprise that nowadays cyber attacks pose a threat to every type of organization. The methods of attacks evolve every day making them difficult to detect and mitigate.
At the same time, technology is not the only defense when it comes to cyber security. In many cases, physical security depends heavily on cyber security controls.
In fact, it has been proven that these two security practices go hand-in-hand.
Utilization of physical security systems and practices in isolation significantly increases the risk of being breached. Especially when the sophistication of hackers and their ability to penetrate environments without physical access increases that rapidly.
Here’s an example of how cyber and physical security converge:
In 2018, Nest security products (home alarms, cameras and thermostats) became unavailable to users for a few hours. For instance, users were unable to control such features as arm/disarm or lock/unlock raising questions about the integration of physical and logical security means.
In many cases when an attacker is not able to access their target through cyber means, they revert to physically accessing key systems through the use of removable media, or by directly bypassing physical security controls.
What are the most common physical security threats (tools and tactics)?
Believe it or not, there are many examples of physical access control systems being compromized, allowing unauthorized entry to an organization’s network. Here’s a simple one: tailgating.
Tailgating can be as easy as wearing uniform and providing fake identification to bypass physical controls. It may sound surprising: at high traffic times employees tend to leave the office door open when someone is behind them, allowing them to “tail gate”.
Basically, it may be enough for the external person to wear some identification badge around their neck to blend among strangers without a notice. In most cases, attackers wear even a blank badge and pretend to scan it while in fact they are just “piggybacking” behind the authorized workers.
What does this mean?
Poorly managed physical security can result in a notable cyber security risk. And here is why: physical access is often all that is required to gain access to the IT infrastructure (keeping Sony Pictures case in mind).
It is important to note that once physically accessed, even the most sophisticated cyber security devices have credential reset procedures (typically to provide access in the event when administrators are locked out).
Taking a look at it from a cyber perspective, a breach of a company’s network can provide direct access to the physical security systems such as cameras, door contacts, etc. which are often poorly protected.
A cyber attack can allow for unauthorized access to secure areas by disabling or overriding physical controls. Therefore, the same systems used to secure the company can become an easy entry point for unauthorized access.
But how are these systems accessed in the real world? Here are some of the physical techniques used to compromise an organization’s IT systems:
- Unattended USB drive with a company logo is found and used by a curious employee on company’s devices spreading malware (this technique is called “baiting”).
- A criminal breaks in to an office area or server room and installs malicious software on key systems that captures confidential information.
- Key devices and systems are physically stolen allowing access to sensitive information.
Looking deeper at the root of the problem, in many cases it boils down to human behavior. For instance, passcodes and passcards are often shared for convenience, and other good security practices are ignored in favour of efficiency and/or convenience.
More advanced methods include replicating HID office access badges and posing as an authorized company representative to gain access to secure areas. This is typically combined with a false sense of urgency to coerce security staff to allow access into secure areas.
How can your organization address physical security threats?
While cyber attacks constantly increase, organizations are losing focus on the right approach to managing physical security. An organization can implement all the cyber security tools such as antivirus or firewall, but those will not prevent criminals from kicking down your door (or walking through the front door).
According to BizTech Magazine, physical security is important in managing organization’s network/systems, “especially for small businesses that do not have as many resources as larger firms to devote to security personnel and tools.”
Again, effective cyber security procedures require physical security controls. Although electronic controls alone are important, they may become useless if the device is physically accessed.
You might be wondering: what do I start with?
In our experience, it all starts with Physical Security Policy on an organizational level. This policy will outline current controls in place (high level) for your location(s) and applicable internal physical security procedures. The procedures may include preventing unauthorized personnel from physically damaging and accessing company facility, resource, or stored information assets as well as making those unavailable/inaccessible.
Physical security policy must be communicated to staff, who should acknowledge the importance of the policy and the rules, as well as visitors, who should follow the company security procedures from entering the facility until they exit it.
Below is a list of important physical security controls that can easily be overlooked:
- Windows and door locks;
- Access control systems such as keys or fob/card systems;
- CCTV cameras, door contacts and motion sensors;
- Staffed reception or door entry areas;
- Alarms and fire systems;
- Security Signage.
Unsurprisingly, physical security policy and procedures will vary based on the factors such as the industry the business operates in or the number of staff. However, there are general standards that should accompany the organization.
Using the approach from ISO 27001 standard, we have prepared a few physical security recommendations to help your organization with physical security risks management.
In our experience, it is essential to implement both physical and technical measures while balancing the security tools to address the requirements for prevention, detection and response.
1. Entry into Facility:
- Entry should be controlled by key, card system or other access control method (example: biometrics) and should remain locked (where possible especially outside of business hours);
- Only authorized personnel should have access to company’s secure areas;
- Alarms should be activated during off-hours;
- Visitors should enter a common area during business hours and be accompanied by company employees and have a visible visitor badge throughout the visit;
- Where visitor access is not electronically tracked a visitor log should be recorded and kept up to date. This is typically required as part of a good health and safety as well as security practice.
2. IT Equipment security
All equipment containing company data must be installed in a suitable physical location that:
- Ensures only authorized personnel has access to and performs maintenance on the equipment;
- Records details of any access to the equipment through the use of door contacts, motion sensors or camera systems.
3. Personnel training:
- All authorized employees must be aware of the procedures for entering the secure areas.
- Acceptable use of technology (including physical security) should be part of the onboarding process;
- All staff should be trained on policies and procedures related to escorted and unescorted access, the use of access control systems and general safety practices.
- Regularly review policies and update employees on cyber and physical risks to reinforce the internal awareness.
In many cases, physical security can be as important as cyber security.
At minimum, both need to be considered with a coordinated approach. Lack of physical controls may result in vulnerabilities that can be used by criminals to gain access to critical IT systems and data.
Managing both physical and logical security under one umbrella gives a company a solid foundation to manage its security holistically.