In this day and age, I think most people are concerned with their cyber security more so than physical security. I’m not talking the government or financial sectors, but the average day to day corporation (which is most of them out there)
They have alarm codes at the entrance. RFID swipe cards for building access. Security cameras and motion detectors. Cleaners make sure they lock doors and windows at night and the office manager is sure to be diligent in cancelling all access on the cards of employees who have left. This seems pretty standard, and seems perfectly secure.
The attitude of people is, “ If somebody wants to break in, they can”. But you would be subscribing to the idea that you assume your security is ‘good enough’ to stop and deter the average criminal, opposed to the professional one.
This post is by no means comprehensive. It’s just observations by myself and some knowledge I’ve gained over the years. My recent CISSP study got me thinking about ‘Physical Security’ a bit more. I’ve always been security minded, as most of you readers probably are. But I felt there was no real resource explaining to regular people about some abhorrent weaknesses in common physical security which is actually relevant. Nothing new in here, just some thoughts that people might want to think about when implementing proper security controls in real world scenarios.
I just threw together a quick list off the top of my head in which I thought would be most relevant, also I thought i’d include a couple of real examples of what i’ve done on site, albeit it pretty mediocre! I will keep building on to this list when I get time. Keep in mind, these are all simple, common methods. Might seem boring, but the fact that these attacks still work shows that people aren’t listening.
You get what you pay for when you install locks. I’m not skilled enough myself, but we all know people can pick locks. It’s not as easy as some let on (yes I have dabbled in the past). Although someone doesn’t need to be a master locksmith to pick a lock. A lock can also be broken in to with a bump key, hammering a screwdriver into the lock, drilling it, or if you are a fan of DIY projects, the old thermal lance from the anarchist’s cookbook would see you through it in no time at all.
As I said, it is important not to cut corners on your budget for secure locks. Shop around.
Apart from a lot of locks actually being able to be picked, the biggest issue with them is being able to be jimmy open by strong metal objects. I once was speaking to a local police officer, and he said “Most break and enters are pretty simple, but are so effective and quick that you can’t do much about it”. And he was referring to crowbars. A suitably sized crowbar to a particular door or window could easily get it opened with the right leverage. And pending on the type of entry point can be made undetectable.
It’s a simple concept, but it is the easiest for an intruder to use, and I think it gets overlooked. The obvious solution? Pay the extra money and buy doors and windows with security in mind. Make sure they are strong and have steel frames, make sure they have solid deadbolts. ‘Anti Shim’ locks. Make sure the hinges can’t be accessed from outside or the frame can ‘t be taken off.
[WARNING: I am about to ramble off into a story here]
I was tasked with testing the physical security of a block of offices years ago for a friend’s business (Don’t get any ideas, I don’t work for free…). Most access for the offices could be achieved from the ground floor. It was a two storey block backing onto a carpark and other businesses.
Every window in the building (ground floor and up) were sliding windows. They were metal on the outside frames and the actual locking mechanism was a metal ‘latch’ that when the two windows are closed, the latch is moved over to latch onto the other. So separating them is impossible without being able to do it from the inside.
Enter my $30 crow bar from Mitre10. It was roughly 75cm long. Reasonably thick and sturdy, but easily concealed inside a duffel bag or inside a jacket (you might have had to attend the Cronulla riots after the job, i don’t know). All that you had to do was place the flat end of the bar into the crack of the window (the left hand seal, where you would place your hand and pull right to open), then wiggle and force it in for few a few seconds. Once you had the bar in as far as it would go, you’d slowly pull back on it, and then forward. You would have to do this pretty hard, but if you didn’t want to leave a trace, it had to be slow. As you pulled back more, the latch on the lock would actually start to bend. Once you hit a certain point, the force you were putting onto it combined with the bend in the latch, would make it slip off the lock and the window would fly open. As the latch was metal, it would bend back in to place after this, as it was just for a moment you were applying pressure.
Solution? Steel window frames with real locking mechanisms. Pay the extra money. There are tonnes of providers out there now that do really good security windows and doors for reasonable prices. Use some common sense really… if the lock on the window looks a little small or fragile, then it probably is.
Crowbars are also efficient in opening doors. Same principal. Pop the flat end into the crack of the door (around about where the lock is), and bend it back. Pending on the access you can get, type of door and leverage, it might be able to be popped open. Wooden doors are the worst for this. Make sure your doors are heavy and strong with no way for any foreign object to be wedged between itself and the frame.
Motion detectors are great… provided you place them in the right spot and know how to use them. Going from the story above about gaining entry through the window off the ground floor office. As soon as I was inside the office, straight away I saw a motion detector up on the corner wall flashing with all 3 lights… the one being RED was not what you wanted to see. This triggered a silent alarm that when back to the security company. (I know this because I tested it out weeks earlier… more than once. It always took 10 minutes exactly for a guard to arrive and check the premises, and 10 minutes exactly for them to look around and leave again).
So I was standing inside this office in the middle of the night, motion detector is flashing all types of bright LEDS. I have roughly 10 minutes to do what I need to do, right? Wrong. In my bag I had a roll of white masking tape. The sort of stuff you pack boxes with, has a consistency of paper. I grabbed a chair, placed it under the alarm, stood up with my roll of tape and ripped of a square that fix perfectly over the sensor. I put a couple of layers on, replaced the chair, jumped back outside, closed the window and ran off to safety.
Looking at my watch, sure enough, 10 minutes and the security car drives into the premises. From the safety of the trees across the road, I watch him walk around with a flash light. I see him go into the main office briefly, this would be to reset the alarm. I see him go to the area I was at. And I see him leave again.
So after a while, I go back to my window. Now I don’t have 10 minutes to get what I was after… I have all night. The sensor does not pick me up when I get back inside. The intruder could take this tape off when they leave, bringing the guard back for a second time for no reason, or it could stay there until somebody finds it. More than likely it will be taken down and a guard will come back (unless they were stealing loads of equipment, they might need more get away time)
And this is a true story. But it isn’t a great example of motion sensor security and I know it has been used before. Guards should pick up on this. “Should” being the key word.
There is also a threat of if somebody had access through your premises through the day… be it an employee or somebody pretending to be an electrician (more on that later). In old motion sensors, all you have to do is pop the cover off the detector, and you see a red and black wire. If you strip these and cross them together. It will then not send an alarm back to base because you are looping the circuit, but they will not know it has been ‘deactivated’. It keeps the sensor alive, but breaks the ‘phone home’ function. I’m sure this is harder in more modern systems, but it takes decades for some places to change up physical security, and this was around back in the day, so it still is a real threat.
Another problem with motion detectors (which I could defeat in this instance) is placement. Once inside the initial office, there was a corridor that went to other areas, more offices and finally upstairs. The office I entered was half way down the hallway, probably 25 metres to the other end where the next motion detector was. Can motion detectors reach that far? These ones didn’t. The company assumed the sensor would pick up the entire length of the hall way. Which is untrue. You need to test out the strength and placement of these.
You normally don’t install security systems into your office yourself (that’s what you pay the security guys to do), but you do have to test it yourself. An easy way to test it is – through the day, walk up to a sensor and you will see the lights go off… it is picking up rapid changes in heat patterns in the environment (your body heat). Walk away… walk to the side… step back… see when the sensor stops picking up your heat. This is what criminals do. They may enter a premises under the guise of doing regular business, and test the motion detector on the way out.
There are other ways to beat motion sensors. Like the old soap water on the lens trick (spray bottle or super soaker style) but this would be a similar and more awkward approach to the tape application, more than likely the alarm will go off in the process. Moving super slow so that the sensor doesn’t see a rapid change in heat in within it’s viewing area is a popular one. Not the most efficient one, but we’ve all heard stories. Crawling along the ground under its field of view, that is also a popular one and this actually works more than people would like to think.
Solution? You need to make sure that your sensors actually cover the areas you want, and not just appear like they do. It sounds stupid I know, but have a look around your own place and see where the sensors are and how they work, and you might notice the potential that somebody could easily bypass them.
You could also invest your money on more secure types of ‘motion sensing’ systems. There is a wide arrange of technologies out there. Vibration sensors, magnetic pads, even James Bondesque laser beams. You have to factor in the beneficial costs to the assets you are protecting. The standard motion detectors are fine PROVIDED you use them properly.
One thing that people get relaxed about is spare keys in the office. Or ANY key for that matter. On this particular job, I found a jar full of keys in one of the offices. It was in a top drawer of a desk, but it wasn’t locked. Even if the lock was locked, these locks are so easy to open that a 6 year old with safety scissors could do it. In any case, I ended up testing the keys I found on various locks in the end of the building I was in, which lead me to the discovery that one of them was the master key. No need for my crowbar anymore. Master keys have codes on them so they can’t be replicated down at the corner locksmiths. But when dealing with criminals, it wouldn’t be too hard to have a contact that would do this on their behalf… or even have a machine themselves. And what about the key to one of the back offices? Surely no one would see that missing, I didn’t see a ‘do not copy’ imprint on this particular key. People would ask where the master key was, but the spare key to the back door? Maybe. Maybe not… As you can see, any entry way is an entry way. (Similar to ‘any hole is a goal’…)
Make sure to be diligent when controlling keys. If you lock a high value key into a draw with a cheap lock, then you are defeating the purpose.
Security guards are great. Provided they do their job properly! Continuing on from the story above, I knew the routine of the guards. Apart from me knowing how long it took them to respond to my alarms, they did not come around regularly. They only came out when the alarm went off. It makes it very hard for bad guys to break in if your have security guards that show up at random intervals.
Criminals could visit your site every few nights of the week and set off the alarms on purpose. Then after 2 weeks of fake alarms, when the real alarm goes off, they may be less likely to respond. I know they have fallen for this before and it shouldn’t impact their routines, but security guards are humans after all. And humans are the biggest weakness in any security function.
Please make sure you get a reputable security company to not only install your security, but do the proper checks. Ask them what service you get. If you don’t agree with their service, go elsewhere. There are plenty of good security companies out there, it doesn’t mean you have to use the cheapest…
Well won’t people that go around breaking in to your offices be caught on the old CCTVs? If you have them, then ‘probably’. But the majority of places I’ve been, cameras are placed in ineffective locations. Sure, they give a view of a ‘high risk area’ like the main entrance, but what is behind that camera? So many times you will find somebody could sneak around behind or underneath it, and cover it with something, or stick something over it (masking tape??) before they even have to walk in front of it. And if this isn’t a high risk facility that has in-house guards watching the cameras in real time, no body will respond.
Cameras are known as security deterrents (as they often deter criminals from doing an offense through fear of getting recorded). It is only a deterrent if the criminal can actually be identified. If no body is watching these tapes than it doesn’t deter anyone from breaking in. Robbing a supermarket maybe. But if nobody is watching, a camera can be easily covered, or a disguise would be worn. The tapes don’t usually even get viewed unless the next day they find the office has been robbed, or if they come in early Monday morning and they find their server room without any servers… That’s when the tapes get checked. (Remember, I am talking normal business here, no high risk facilities)
And that brings me to the next thought. IP Cameras. They are pretty awesome. If they are used right, that is. This borders into the realm of cyber security but still relevant. I recall being at a client’s office and auditing their systems, and found that their IP camera system’s server only held recordings for 7 days. 7 Days isn’t much at all. You might think that ‘if somebody committed a crime, 7 days is enough recordings’. But no way. If the intruder knew of how long you stored your tapes for, they could do something in the form of a social engineering attack. Make some bogus phone calls to the office, say something about building management or that they have been sent to check the fire extinguishers comply with safety regulation. Come into the office one day, pretend to be doing whatever it is they claimed to be doing, disable sensors, leave a window at the back of the office unlocked, plant hardware keyloggers, steal a sensitive laptop – all sorts of stuff. They could even plug in a Rogue Access Point under a desk if they were that way inclined. All types of things could be done to give more leverage to an intruder. But say Monday morning 2 weeks later, the company finds they have been robbed. They check the tapes and see a robber wearing a mask quietly cleaning out the office. As he is disguised, there isn’t much they can do. When the police ask ‘Was there any one unusual around here lately?’. The office might mention the nice man who came to fix the lights a couple of weeks ago seemed a little out of place. ‘Well when was he here? Can we see the CCTV footage?’… ‘Sorry we only hold footage for 7 days…’.
Another thing with IP cameras. Like any other computer system, there is a potential they can be broken. The sheer number of SOHO security cameras that have been wrongly configured and in which you can view online through special search requests is scary. Doing a WHOIS look up on the IP and some digging could give you the actual company and address that this camera is currently servicing. Shodan can illustrate how simple this actually is http://shodanhq. Do we really need more criminals finding their prey this easy? You want to make it harder for the bad guys, not easier.
I still think the percentage of HID contactless smart cards in Australia is around 90% (I did read the figures somewhere a couple of years ago). You know when you work in an office building, and you more than likely have a white card that you swipe to gain entry? The one with HID written on it? They can be cloned pretty easy by products from vendors such as http://proxmark.org/proxmark. If somebody had one of these readers in their backpack, they could easily walk up behind you on the street… or while you are having a few after work drinks at the pub. Or perhaps when you put your wallet down for a minute. It just takes a second of getting close to you, and your card could be stolen. Social Engineering could come in to play here, but regardless of the method to obtain it, the point is they can be cloned. If a criminal wanted access to a sensitive area of the business…they could follow the CEO out of the office one day, or the IT manager even.
Cloning the card (putting the reader in a close enough proximity to the victim’s card) will now copy the data onto the device, and it can be written to a new card. This new card will have the same access of the one that was just cloned. All of the facility security logs will see is that the other person’s card was used for entry at a certain time (which may land them in hot water pending on what happens after a successful intrusion).
If you work in a large office building, with different companies on different floors. Who has a swipe card that can get into every office and every company? Come on guess… it’s really quite simple and very scary. Probably the most least security conscious person of them all… the humble cleaner.
Cleaner’s are employed by the building to clean the offices. Not necessarily just the company’s offices, but the entire building. Pending on what building you work in, they could have access to all areas, or just designated spots. Around 5.30pm you see flocks of them start to make their rounds around the office for their nightly shifts. Their cards are usually hanging off their waste as well. This is the low hanging fruit. Cloning a card that is ‘access all areas’!? Not dissimilar to Willy Wonka’s golden ticket.
How do you defend against your card being cloned? You could purchase something like an RFID shield to issue to all employees. This might be cumbersome as employees would need to take the cards out of the protective jackets every time they enter an area. But it is that sweet spot in the balance of security and productivity you are after. You decide how important your assets are, and decide accordingly. http://www.rfid-shield.com/
You should also be diligent in card management. Making sure cards are deactivated when lost or stolen. Making sure that no employee has after hours access if it is not a job requirement (think the principal of least privilege but for the physical world)
Server Rooms/Data Centres
If data is of high importance, it will no doubt be stored in a secure Data Processing Facility (this may be with a third party, and may be complete with biometrics and ‘proper’ access controls). But what about the regular run-of-the-mil company? Your data is just as important to you as anybody else’s is to them. These type of companies often don’t have the budget, or knowledge of proper physical security.
Server Rooms are a gold mine, for all sorts of reasons and for all sorts of intruders. If somebody snuck in to one, they could install a trap device to capture traffic entering and leaving the entire organisation, they could install a rogueAP on the sensitive and protected ‘server VLAN’, they could even load a bootkit onto your servers, and have access from the comfort of their own home, stealing confidential information and having access to everything in your company while they sit back and drink lattes. They could steal, they could sabotage, they could do anything to the central nervous system of your organisation. It is the last place you want un-authorised people to access.
One thing I learnt while studying CISSP’s Physical Security domain is that apart from having layered security zones in your facility protecting your most holiest of assets (think a physical maze of walls and offices, each one slowing down an attacker from reaching the gold mine in the middle – which is your server room), is that dropped ceilings are bad. As you can see from this picture.
This image was taken from Shon Harris AIO CISSP Guide (Good book)
It had never occurred to me before and I don’t know why, but The MAJORITY of places I have worked had dropped ceilings. Pretty simple for somebody to remove one of those panels from somewhere else in the building and crawl across. Might be unlikely, but again, how important is your data to you? More importantly, how important is your data to somebody else?
It’s also good practice to have a sign in form for server rooms, and accompany any individuals entering your room. Preferably your server room should have strong glass walls so everyone in the department can see who or what is inside at any given time. CCTV also wouldn’t be a bad idea to implement inside to back up your physical security controls. It might also have good auditing functions if one of the administrators used the general domain admin account and stuffed up the exchange database from the console, the camera could correlate with the time stamps of your logs.
I’ve been in so many places where all they had was a swipe card for server room access (read above on cloning), with the server rooms not even located near any IT teams, just the general staff population. Do you think anyone non-IT staff member would care if somebody walked in with overalls and a toolbox and swiped their way into the server room? Nope.
Protecting your data in transit
How about your data when you travel? You might have a full disk encryption solution on your company laptop. You might need to take it with you on business. You leave it in a hotel room when you go out for dinner perhaps. How secure are these hotels? If you had mission critical files on your laptop which was in your hotel room, how much confidence would you have that nothing on there could be taken? I can’t speak for all hotels, or even hotels overseas, but all of the hotels I’ve stayed in have no CCTV in the actual hallways. Only at elevator entrances and main thoroughfares. If your laptop went missing from your room… there would be no realistic way of tracking down who did it (by looking over the CCTV footage). And worse yet, if your hard drive was cloned you wouldn’t even know.
How could somebody break in to your room undetected? Simple! A perfectly shaped piece of metal or aluminium can be used to unlock most doors from the outside. One of these could fit inside a suitcase or carry bag. (Here is a video demonstrating this technique)
“So who cares if someone steals my laptop… so who cares if someone breaks into my room or steals my laptop!” I hear you protest. Well, someone could 1. Clone your drive, taking it away and bypassing all authentication and encryption. 2. They could do it on the spot, or 3. they could just steal it and break through it elsewhere. How would somebody do this? Some of the most popular Full Disk Software Encryption packages (looking at you TrueCrypt and PGP) can have their entire encryption and local authentication bypassed using a bootloader like “Stoned Bootkit”or the dreaded ‘Evil Maid’ attack. A bootkit could be run by booting the laptop off of the bootkit CD or USB stick.
This all might sound a little far-fetched and like too much effort for somebody to go through to get your files. If they succeed, you might say “Kudos to them, the deserved it”. Truth is, all of this isn’t really that hard. It’s all very basic stuff. Mid-Level criminals can and do pull this off. And again, how much is someone willing to pay for YOUR data?
One thing you could do is take the laptop cable locks with you when you travel which can secure your device to a solid foundation, preventing most people from being able to steal it. They still could cut through it yes, but slowing down or deterring an attacker is better than nothing at all.
Another technical control your laptop should have is a BIOS password and to not allow the boot order to be changed. Sure, BIOS can be cracked, but it involves opening up the device in most cases, and the criminal may not have enough time to do this. Stealing the drive or cloning it might be the only option for them. So this might be a wake up call to not store data locally. If you do need local data when you travel, consider fully encrypted (hardware) USB sticks (IronKey are great) and store your data there. Make sure you do not lose it though! These drives can securely destroy themselves automatically if they get into the wrong hands. But we want to prevent that from happening to start with.
User awareness is paramount for security. Both physical and technical. You need to inform and train all staff on proper security procedures and why they are needed. You have to do it in an interesting way also, or they won’t listen. One thing I think is a good idea, is to get a piece in the monthly newsletter (or whatever) for Information Security matters. But make it relevant to the users. People are actually interested in being more secure, it is how you deliver it to them which can cause the heartache.
One month do a write up on ‘how to stay sure on facebook’ and ‘how to protect your bank account from being hacked’ etc, and link the technologies and concepts in to business systems and why it needs to be done. Staff love reading a little creative snippet about how a social engineer can infiltrate a company and sneak out data… and the lessons start to be learnt from within. You also want to reward users for good behavior and make them proud to work for you, there is nothing worse than disgruntled employees. They are more dangerous than the criminals we are trying to defend against.
Everything I have posted are just for general awareness. Most people know these techniques, as I said “it is nothing new”. I tried to steer away from getting too geeky and just keeping things simple. I also wanted to stay clear of the general mundane foundations of physical security and actually put in some relevant and useful information. I could have went on forever if I started with combining different social engineering attacks with physical penetration. And one thing to keep in mind. This controversy to perform client side pentests? This content is highly relevant and just shows why these sorts of tests need to be conducted for businesses to keep them safe.
Hope you enjoyed, and I hope someone at least learnt how to be more secure from this.