Last week I stumbled across a rather interesting set of videos on YouTube by a presenter called Deviant Ollam (https://www.youtube.com/results?search_query=deviant+ollam+physical+security). Deviant Ollam is a physical security penetration tester in the US and runs a company doing just that: trying to gain access to places he shouldn’t. We’re not talking black hat breaking in activity here but we are talking about white hat: doing these things paid for by the client to test their physical security.
What I found watching some of these videos was startling. Yes, some of the content is a little bit US-centric and perhaps doesn’t apply to the UK, however, it really got me thinking about a question. As IT, we spend all this time and money investing in information security, event logging, event monitoring, alerting, and more. If the physical security of our premises, however, is so easily bypassed, are we just making it too easy for would-be attackers.
Test and then test again
Before we get into the crux of this article below, stop for a minute. Go and watch some of the YouTube videos we provided the link to above and then go for a walk. Go for a walk around your office both inside and outside and think different.
Don’t think about it like an employee would but think about it with an attacker mindset. What looks like it could be weak, something that you could exploit to gain an advantage?
The typical office physical security
You might be thinking that physical security is not a problem because employees use laptops and they take them home each day so there’s no information to be had but let’s think about a few scenarios that are a slightly curve ball.
Access control systems
Who installed and owns the access control system? I’ll bet that it’s Facilities or some department other than IT. Are that department held to the same level of accountability as IT over their security? People will assume that a building is secure because you use HID Cards for entry control but the videos by Deviant prove that these aren’t as secure as we’d be led to believe.
Is the access control system linked to any kind of monitoring system? What happens if a motion sensor gets tripped at an odd time of day or what happens if a door gets opened without a corresponding ID card event on the reader linked to that door?
IT will have probably spent great amounts of time and money investing in Security Information and Event Management (SEIM) tools such as Azure Sentinel so why not incorporate information from the physical security side with that same system?
Monitoring screens
How many organisations in IT use monitoring screens that show information like service health and uptime, number of incidents logged or calls in the queue on a Service Desk.
Yes, you use that system for those purposes but what else could it be used for? Is that machine configured to auto-logon using a saved username and password that’s a domain user account and could then be used to access information on the network?
Keyboards and keyloggers
It’s true that most employees these days use laptops that they take home but when they come to the office do they use a docking station? Does that docking station have a USB keyboard attached to it that isn’t taken home each night?
How would you know that overnight, someone hasn’t walked into the building and installed a keylogger inside the keyboards of all of the keyboards? The next morning everyone returns to work and starts typing their username and passwords to logon via the keyboard and docking station and the passwords are all being captured or even sent in real-time to an attacker?
Network printers
How often do you check your network printers and I mean really check them with a visual walk around and physical inspection? Probably never or only when it breaks. One quick Google search shows that by someone connecting a simple Ethernet Hub behind your printer, they could be spanning and cloning the RAW print traffic between the print server and printer, saving it to an SD Card or streaming it over WiFi, and then re-printing copies of your sensitive corporate data.
Network ports
Do you use 802.1X, Network Access Control (NAC), or any other kind of network security? If someone can bypass the building physical security what is there to stop them from simply connecting a laptop to the network with an Ethernet cable?
People in IT always talk about firewall rules and perimeter security on the network but what happens if someone has just walked in through the front door? They’ve bypassed that perimeter security and are sat in the living room with their feet up on your sofa essentially.
MFA bypass
It’s reasonably commonplace to see organisations use rules in Azure AD Conditional Access such as when the user is working from a known location such as the IP Address of the office to omit the requirement for multi-factor authentication (MFA).
Forcing users to use MFA when they are in the office can be seen a onerous on the end-users and oftentimes, we deem that if someone is inside the building and using our Internet connection that they are trustworthy. We’ve just proven that this isn’t always the case and if there is no MFA requirement for this person now they are inside the building, all they need is to phish or key log the credential for a user and they can access whatever they like as a real, authenticated user.
Fixing the physical security
Arcible isn’t a physical security company so we aren’t here to sell a service or ourselves to fix the issues for you, however, we can help you to use technology to work in tandem with physical security.
If we’ve scared you into thinking perhaps we should look at how these network printers are configured or maybe we need to consider how we can ensure that malicious USB devices aren’t being installed then that’s where we can help you.
You can use our Consulting services at Arcible to help review how your information security and your physical security can work together, hand-in-hand. Got an access control system already but want to see how you could integrate that with your SEIM or other security services? We build solutions out of our Consulting services such as our Security and Identity service to cater for these kind of things.
Contact us for more information and to see if we can help you spot where your physical security is letting you down.