Working in information security, I’ve seen my share of flagrant violations of best industry practices in physical security. Physical security is one of the most basic steps any organization should take to ensure the security of its people, assets and technology. Without physical security we can’t defend our organizations from the myriad of risks such as espionage, theft, intellectual property theft, cyberattacks, malicious software, etc. When an adversary has physical access, they can often gain access to resources, assets and technology that give them an ability to act maliciously with much more ease than an external actor. This is why physical security is paramount. Yet, understand this, organizations still fail to address even the most basic of physical security concerns. Let’s explore some actual physical security failures that I’ve encountered in my decades in information security. But before we explore further, let’s define physical security.
Wikipedia defines physical security as: Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft). Physical security involves the use of multiple layers of interdependent systems which include CCTV surveillance, security guards, protective barriers, locks, access control protocols, and many other techniques.
Lock-less server/network room – In this particular instance the small business I was consulting for didn’t have a lock on the server room or network closet. When I confronted their IT team, they claimed it was just ‘easier’ to access it that way. Once I explained it was making it exceedingly easy for a cybercriminal or adversary to wreak havoc on their organization, they quickly installed locks, access control systems and other physical security/process improvements.
Visible alarm system code – In this particular client engagement they were having issues with staff or others stealing laptops, equipment and other assets. In reviewing the physical security of the organization, we found they had no procedures for controlling access to sensitive areas, no CCTV and also had the alarm code written in permanent marker on the alarm itself. One of the recent thefts was done by a temporary contactor (malicious insider) who had noticed the code on the alarm and come in after hours to help himself to a laptop.
Blind Trust – The client was a medium sized accounting firm that had experienced a malware infection and DDoS attack. In reviewing the CCTV footage, we found that the front desk had allowed an unknown/unidentified person to enter into the office. The unidentified party had installed malicious software on a workstation and caused the issue we were addressing. The front desk staff were reeducated as to the correct security procedures. Moving forward they were to vet, verify and sign in any guests as well as accompany them to their final destination in the organization.
As flagrant as these physical security failures seem — they are far too common. Organizations fail at physical security for supernumerary reasons, but most frequently for lack of staff training, staff policy/procedural compliance and regular physical security audits. Is your organization making physical security a priority? If not, it should. Without physical security all other security efforts fail as adversaries have direct access to your assets and can more easily exploit them.