Your Office Through a Hacker’s Eyes: Physical Security Vulnerabilities You Need to Know

Episode Resources:

• Resilience Cybersecurity & Data Privacy

• 8 Useful Small Business Cybersecurity Tips You Need to Know – Resilience Cybersecurity & Data Privacy

• How To Destroy Perfectly Good Cybersecurity Policies – Resilience Cybersecurity & Data Privacy

• Safeguarding Your Assets: The Critical Role of Physical Security in Cybersecurity – DevoTeam

• Cyber & Physical Security: Why You Need Both – Compass IT Compliance Blog

• What is physical security? How to keep your facilities and devices safe from on-site attackers – CSO Online Security Blog

• What is physical security and how does it work? – TechTarget Security Blog

• Merging Physical Security and Cybersecurity – CISCO

• 5 Cyber Security Tips for Smart Buildings – IT Security Guru

• IP Cameras, VoIP and Video Conferencing Revealed as Riskiest IoT Devices – infoSecurity Group

Episode Summary

In this episode, we delve into an often overlooked, yet crucial aspect of cybersecurity: physical security. The term may not sound as intricate as some cybersecurity jargon you’re accustomed to, but its significance is undeniable. When we think about cybersecurity, we usually conjure images of hackers infiltrating networks from remote locations, but the reality is far more complex.

Our conversation illuminates the importance of securing the physical premises of your company as part of your overall cybersecurity program. An attacker doesn’t need to launch an advanced cyberattack to breach your systems; sometimes, they just need to be near you.

The concept of physical security is broad – it certainly doesn’t begin at your front door. Instead, it begins the moment you enter the technological range of a building. From this moment, you’ve stepped into that building’s physical security domain, and the need for robust measures becomes evident.

Let’s take a look at a building’s cybersecurity but through the eyes of a potential hacker. You’ll never look at your office the same way again.

The Exterior

We begin with the initial steps of conducting a physical and cybersecurity assessment for a typical office environment. This starts even in the parking lot, checking available wireless and Bluetooth connections, thus gaining insight into the location’s network infrastructure. The information obtained, such as the types of services and hardware needed to offer these services, provides initial intelligence about the building’s security environment.

The next step involves observation – walking around the building (recreational walking paths in office parks are excellent for this purpose). This ‘window browsing’ can reveal valuable information, such as passwords on post-it notes, visible screens, and other potentially sensitive information.

Further security checks involve inspecting external Internet of Things (IoT) and security devices, like cameras. These devices, which are typically networked and centralized in a specific location within the building, could provide additional access points for potential exploitation. Notably, if these devices are not properly secured and their credentials are simple for the sake of convenience, they could represent significant security vulnerabilities. Thus, even an exterior security assessment can provide crucial insights into the overall security posture of a business.

The Front Door

Gaining access to the building opens up a host of new possibilities. Let’s take a look at the front door. Is this an uncontrolled access building? They’re common among small businesses not dealing with sensitive or high-value materials. For “low risk” businesses, it’s assumed that the threat of theft or exploitation is minimal, and oftentimes, so is security.

What if it’s a secure entrance, which is typically used by companies dealing with more sensitive data? These entrances can either be attended (guarded) or unattended, employing mechanisms such as badge readers or biometrics for access control. Even highly secure systems might use advanced biometrics like retina scans. Regardless of the system used, there is usually an automation or systematic component, which can be exploited.

For instance, older RFID card reader systems, especially in legacy buildings, can be easily copied and replayed to gain access. Newer technologies are more challenging due to their use of rotating codes and encryption, but they are not completely immune to exploitation. Therefore, understanding the access control systems in place can offer valuable insights into the potential vulnerabilities of the building.

The Lobby

Once inside, there are several potential points of vulnerability. Key evaluations include the security of entrances and workstations as well as other human and technological failure points.

If a human attendant is present, they could leave passwords or keys in accessible places or leave their desk unattended, providing a chance to gain unauthorized access. They also may leave a computer unattended for even a short time. An experienced attacker can use one of many strategies to compel the receptionist to leave their station.

Throughout the facility, any workstation is a potential gold mine of valuable information. Anything from post-it notes to photos (or an unlocked workstation) can be found there.

In offices without either direct control of entrances or a buzzing feature to control access to the workspace, gaining unsupervised access can be quite easy.

General Workspace

There are numerous potential security vulnerabilities in various types of rooms within a workplace, such as cubicles, open workspaces, and shared spaces. Key vulnerabilities include:

1. Personal Information: User spaces often contain Personally Identifiable Information (PII) that can be used to answer security questions or find passwords. This includes names, addresses, pet names, and sometimes credit card information (think about the photos you put on your wall!).

2. Unattended Connections: Unattended workstations often have exposed network connections just waiting for an employee to plug in. Adding a USB device or network adapter to drop a payload or carry out a man-in-the-middle attack is incredibly low-risk for the attacker, and could allow them to intercept or alter the data being transmitted between two parties without their knowledge.

3. Open Office Setup: In an open office setup where workstations are shared, an attacker could install a device that monitors the traffic of every individual using that workstation, gathering different sets of telemetry until the device is discovered.

4. Discarded Information: Important information is often thrown carelessly into open trash bins. How often do you look at the person emptying your trash to ensure they’re an employee?

5. Left Behind Technology: Devices left unattended, like cell phones, could be exploited, especially if they contain work emails or other sensitive information and lack proper protection.

6. Technology Resources: Other potential security risks include technology resources such as computers in conference rooms, tablets mounted to walls, and Ethernet cords. These can provide direct LAN connections to the network and are often overlooked or poorly regulated.

Document Storage

When it comes to physical documents, the first line of defense is controlling access to the storage room, followed by securing access to individual document layers. Any storage that lacks access protection is potentially very attractive. A major consideration beyond mere access is whether there is active monitoring of any such access.

The Server Room

The Server Room, IT Closet, or wherever you keep your network equipment, is either El Dorado or Fort Knox in the eyes of a would-be attacker. The lack of robust physical security measures in place represents a major vulnerability just waiting to be exploited. Unrestricted access to these rooms provides an opportunity to physically connect to network devices and servers. Once a hacker has physical access to these things, there’s little that can limit their access.

Looking back to our external recon, if a company has extensive external camera systems and biometrics, it indicates a higher level of security maturity, which may suggest a substantial internal networking system. On the other hand, companies with less developed security measures often have more vulnerable areas.

Either piece of information can be helpful to a would-be attacker.

The Conference Rooms

Conference rooms are often overlooked in terms of security and represent an ideal situation for an attacker. Despite their frequent use, they lack surveillance and the general assumption that someone occupying the room is supposed to be there. Most also have built-in networking interfaces which, if not segregated properly, can provide direct access to a company’s primary network.

With a little confidence (and a utility company work uniform), a cybercriminal could spend a significant amount of time in a conference room unnoticed, with ample opportunity to probe the company’s network from within the building.

Mailroom/Shipping & Receiving

Regardless of the size of a business, the mail and shipping areas are target-rich environments. A mailroom often contains sensitive documents with account numbers and contact information that can be easily accessed due to a lack of supervision and attention. Shipping and receiving departments of companies that provide laptops to their employees may have those very laptops, with installed operating systems, user credentials, and Multi-Factor Authentication (MFA) setup details, packaged and ready to go.

Conclusion

Hopefully, this little walking tour has demonstrated how many vulnerabilities exist in most offices. Effective cybersecurity extends beyond your passwords and electronic devices. Protection of your physical space, including all areas and aspects of a business’s physical location, is an essential part of a complete cybersecurity program. Unauthorized individuals on premises should be strictly monitored and should go through an authorization process.

Have a policy in place to deal with all of these scenarios. Implement and enforce that policy. With a robust and comprehensive approach to both physical and cyber security, you can significantly reduce the risk of a security breach. By acknowledging and addressing potential vulnerabilities in your physical security, you not only protect your assets but also fortify your overall cybersecurity posture.

In the end, remember that the goal of cybersecurity is not just about preventing an attacker from getting in, but making it as difficult as possible for them to do so. This requires a blend of cyber and physical security measures, constant vigilance, and a culture of security awareness. It is a continuous process, not a one-time task. Your office should be a fortress, not just a workspace. So, take a look around your office and consider the potential vulnerabilities that a would-be attacker might exploit. Don’t just look at your office as a workspace but as a potential battlefield in the fight against cybercrime.

We’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity.