Information Security covers an amazingly broad set of responsibilities. When you begin to dive into the topic, you will find that the principles in securing your data can also be applied to the physical security of your job sites. In fact, securing the physical site will tighten your data security. According to a globally-recognized cyber security certification, (ISC)² CISSP, Security Professionals categorize this topic into 8 domains :
- Security and Risk Management
- Asset Security
- Security Engineering
- Communications and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
In this post, I want to talk about the 5th domain : Access Management.
- How do you know if someone belongs in the location you see them in?
- Do they have a badge?
- Does that badge let them through a door / turnstile?
- Is that door and badge reader monitored by a person?
- Does that badge have to be displayed in a certain way?
- Or does a person just have to look the part to not be questioned?
Professional Penetration Testers are individuals who are hired by a company to measure the difficulty of breaking into the company, physically or electronically. One of their methods to gain access to a secure location (for example, the CEO’s office) is to start at a work site where they know security will be lower, and steal items that will help them blend in at the more secure sites. Stealing anything with a company logo (hard hat, clipboard, safety vest, jacket, keys, vehicles, etc) makes them look like they should be where they aren’t supposed to be.
The unfortunate thing is that, most of the time, this much preparation by the intruder is overkill. People are inclined to be helpful. Testers found that when someone showed up on site, looking slightly lost (but in search of something), and just asked nicely enough, employees were helpful in showing the Penetration Tester directly to whatever or wherever they are looking for regardless of their appearance.
If someone can walk in off the street, sit down at a desk (or be shown to an unoccupied office), plug something into a computer or a wall socket, then get up and walk back out onto the street without being stopped (or noticed), there is no way of knowing what they could have taken or left behind. Someone with unsupervised access can easily find a network port and plug in a small computer to any network port they can find. That computer can be set up to connect to an external network, automatically, which will give the Penetration Tester continued access to the network when they leave the building.
The reason for keeping all guests monitored / escorted, and all employees visibly identified is to be able to, at a glance, decide if someone is out of place. For example, NASA was recently in the news for a CyberSecurity breach due to an unauthorized Raspberry Pi computer on their network. This was likely a device that a NASA employee had put on the network to perform some task, or just to tinker with (there will be a posts on Shadow IT and Unauthorized Devices in the future). The device was poorly configured, and allowed external hackers to access the network at the Jet Propulsion Laboratory. This type of thing happening accidentally or unintentionally is enough of a security problem, it shouldn’t be allowed to happen intentionally.
The best thing that can be done to prevent things like this is to educate everyone on what the expectations are for visitors, and their hosts. Enforce the rules, and reward those people who will stop and question anyone who isn’t following the rules. I would encourage that a protocol be established to walk the unknown person to a site manager or site security officer to have them check out the person as well.
Verifying an unknown visitor can be handled tactfully and does not need to be a rude or combative interaction, with proper training. For example, if you stop someone who is wandering around looking for “Jerry, the Manager of Accounting” you can ask that person what department they work in, and if they are a guest, who sent them to look for Jerry. The expectation here is that guests should always be escorted through the building. If they are an employee you are unfamiliar with, this would be a good gesture to get them where they need to be.
If what they say seems reasonable you can walk that person to Jerry’s office and make the introduction, “Hey Jerry, this is So-and-So from XYZ department, their Manager ABC sent them to see you”. Jerry will either be expecting them, or will be able to say that something odd is going on and then the decision can be made to involve Manager ABC, or the building security team. If something odd is going on do NOT leave the person alone or allow them to go get “documentation from their car”. Make it awkward for them to leave without making it a confrontation until someone arrives who is equipped to handle such a situation. If they show you something on their phone or tablet (an email, a text message, a picture) call the person who sent it and have them confirm they sent this person on that task. At the worst, this slight inconvenience could save the company from a costly intruder.
There are some great references for handling a wide range of security issues. We recommend, much like the physical safety of the job site, a culture of cyber and job site security should be adopted company-wide. If everyone can be vigilant in locking their desktops, keeping watch of suspicious persons, and asking the right questions, we can prevent sensitive data from ending up in the hands of your competitors or attackers.