Recently I visited a customer site for an on-site penetration test of a different color. This client informed me upon arrival that they wanted me to do my best to get onto their network with my laptop from inside the facility, without being blocked or observed by their technical network controls. They were interested to know how effective their physical network intrusion controls were at detecting unknown devices.
They showed me to a cubicle with a phone and a computer and left me to it. On my first attempt, I tried “the easy way,” by just unplugging the computer and plugging in my laptop. This effort was shut down immediately—the power to the outlets I was using even went off. I was impressed.
My second attempt, which succeeded, took significantly more time and expertise. It involved disconnecting the computer and noting that the phone did not turn off. I was then able to connect my laptop with the computer, discover the computer’s MAC address and then “spoofed” it to connect to the network via my laptop without triggering a shutdown of the port. A few more steps and I had an IP address on my laptop and could communicate with other systems on the network.
Normally when Pivot Point Security does penetration testing we run a vulnerability assessment and then try various exploits against the different vulnerabilities we uncover. Physical security doesn’t really enter into it.
But if a cyber criminal is able to sit down inside your facility and start jacking things into your network, they have a huge leg up versus trying to break into systems with just software. This just-announced hack for stealing login credentials from a locked PC or Mac is just one example of the many attack vectors available. (There were plenty of “toys” back at the office that would’ve made it much easier to get onto our client’s network, had I known in advance to bring them.)
It’s axiomatic in InfoSec that if you don’t have robust physical security, technical controls are of little value. What good are firewalls and intrusion detection systems if an intruder can jack straight into your network and take a crack at your databases? Never mind simply walking off with laptops or media. Yet physical security often takes a back seat in terms of mindshare and resources to technical countermeasures.
Every facility is different in terms of the physical controls that might be needed. (“Open” lobbies guarded by busy/distracted receptionists are still a common problem, for instance.) But nearly every organization can improve its physical security through security awareness training.
Do you know who is in your environment right now? If employees encountered suspicious behavior, would they feel empowered to challenge the person, or quickly find someone else to do so? Basic awareness and knowing what to do are vital first steps in keeping your data physically secure.
To discuss security awareness training, physical security controls and any other aspects of your information security posture, contact Pivot Point Security.