Physical Assessments: physical site security testing

IT security officers, managers from the fields of building technology and building management, and many others know that the importance of building security is constantly growing. Both unauthorized intrusion into the building and unauthorized access to data must be prevented. As part of a physical assessment, SySS examines all the ways to penetrate a building unauthorized to gain access to devices and thus to collect data.

WHY PHYSICAL ASSESSMENTS?

For any company property, there is a risk of unauthorized persons gaining access to the premises, the building, rooms and facilities. Particularly worthwhile goals are, for example, the research and development areas of an industrial company, but also IT premises, archives or management premises. This allows material assets being damaged or stolen, manipulations being carried out on technical systems; or facilitating access to data through direct access to computer systems, copiers, mobile devices and, last but not least, to the network infrastructure.

The goal of a physical assessment is to validate the security of the physical site. This form of testing is designed to help identify threats, assess their likelihood of occurrence and damage potential, and then to assess the risk for the organization. In addition to the technical precautions, the access itself, access control and monitoring processes are also being tested.

A physical assessment gives answers to key security-related questions such as:

  • Do physical security concepts cover all relevant issues?
  • Are there any gaps?
  • Do the technical arrangements work and are they sufficient?
  • Are the planned processes lived? Do technical and organizational measures ensure adequate protection of personal data?

HOW DOES A PHYSICAL ASSESSMENT WORK?

In order to answer these questions, the SySS consultant tries to gain access to the building or the agreed premises in several stages which is preceded by a search of publicly available data on the company/entity to be tested.

Physical assessment tests basically have the following workflow:

  • Obtaining information from public sources
  • Observation of the building, the site and the surrounding area, analysis of access options
  • Identification of access controls and analysis of their effectiveness
  • Observation of authentication measures for employees and guests
  • Search for work-arounds of installed protection measures
  • Search for access to additional restricted areas
  • If possible, search for access to the internal network

OBTAINING INFORMATION FROM PUBLIC SOURCES

First of all, the SySS consultant collects different information that is also available to an attacker. This is mostly information from the internet, but also one’s own observations, etc. An almost inexhaustible public source of information are job and career portals such as LinkedIn. The majority of people there, for example, specify their employer and their area of responsibility in the relevant company. Sometimes, the SySS consultant has no more to do than pretend to be a member of staff by phone who forgot to register a visitor for a meeting to give their SySS colleague access to the building. Alternatively, they use the contact researched on LinkedIn to be able to call an appointment with him or her in case of doubt, e.g. when the SySS consultant is approached in the building.

OBSERVATION OF THE BUILDING, THE SITE AND THE SURROUNDING AREA, ANALYSIS OF ACCESS POSSIBILITIES

In addition to the application of this knowledge, access to the building must first be determined. In a first visit to the bounding site, the SySS consultant monitors the access options to the building, as well as the behavior of employees. For example, if larger groups go smoking together or have lunch, the SySS consultant can try to join this group unnoticed.

Opaque doors, side entrances, supplier entrances, vehicle driveways, garages, etc. are gifts for the SySS consultant, as they are usually less monitored. Highly frequented entranceways, on the other hand, are suitable for unauthorized access attempts in such a way that they are prone to tailgating. (Tailgating is a form of social engineering in which someone who is not authorized to enter a specific area — for example, secured by an RFID card — follows someone with legitimate permissions without their knowledge and thus gains unauthorized access.) During the observation, the SySS consultants do not only identify any potential entrances to the buildings, but also, if possible, the employee ID scheme, if worn openly. In the case of public institutions, the consultants usually consider the visitor registration thus gaining an overview of the corresponding processes and derive possible access scenarios from them.

IDENTIFICATION OF ACCESS CONTROLS AND ANALYSIS OF THEIR EFFECTIVENESS

The access controls are crucial for a physical assessment. Does the facility allow several people to pass through the entrance, or does the company, for example, use person isolation locks to ensure that access card authentication is enforced? The analysis of the effectiveness of access controls is aimed, among other things, on the following:

  • How visible are entries to the building from outside?
  • When is the reception/guard occupied?
  • How many staff members belong to the reception/guard?

OBSERVATION OF AUTHENTICATION MEASURES FOR EMPLOYEES AND GUESTS

Access to a company building is often tied to certain authentication measures. Thus, the following has to be determined: Do ID cards need to be presented and, if so, how often and where? On the first day of a physical assessment, the SySS consultants usually take several photos of different employee ID cards unnoticed and then create cards for themselves that are modeled after the original ID cards. These copies of ID usually do not have technical functions. If employee ID cards are worn openly visible, the experience of SySS shows that a visually identical, open card is in many cases sufficient for a relationship of trust with other employees and security guards — the doors are even kindly held open for the SySS consultants.

If ID cards are not worn openly, a simple LAN cable is often included in the equipment of the SySS consultant. To the question “Who are you?“, the answer “I'm from the IT department and I'm supposed to replace these cables in one of the meeting rooms.” is usually an accepted answer. The provision of unplanned maintenance work or the fouling of service activities of all kinds are also possible tricks for avoiding authentication measures with great prospects of success.

SEARCH FOR WORK-AROUNDS OF THE INSTALLED PROTECTION MEASURES

The lowest threshold way to gain unauthorized access to the building is tailgating. For example, a SySS consultant might try to join an employee who has just opened the door. If isolation locks such as turnstiles are present and if they are to overcome, the question arises: What height do they have? Can they be skipped? Can you slip under them? And if so, is the guard distractible?

In the simplest case, the SySS consultant drops his ID card just before the turnstile and seals under the turnstile when picking it up. However, the tests can also use social engineering methods, such as distracting the guards. SySS always draws the line when carrying out the tests at the latest with methods that are aimed at placing employees under special stress, simulating emergency situations or the like. The goal of distracting a guard is never to be achieved at the price of pretending by phone that their child had been hospitalized and they should come to the local emergency room as soon as possible. Tricks such as a cocktail of Mentos (special peppermints) and cola which can easily simulate foam in one’s mouth and thus tempt the guard to leave their place intending to provide first aid are also excluded. Methods in physical assessment testing are all in line with the SySS ethical principles for social engineering.

SEARCH FOR ACCESS TO ADDITONAL RESTRICTED AREAS

If the SySS consultant has successfully entered into the building, they will soon find themselves in front of closed doors again. If a door, however, is not mechanically closed but only closes and is secured, for example, by RFID cards, access via this door can usually happen through a bypass of the lock. The tool for this is the “under-the-door tool”. Similar to a lasso, a loop is made in some wire or cord and is hooked in the door handle on the other side taking the way under the door. If the SySS consultant now pulls from the outside, they can press down the latch and thus open the door. Approximately 1-2 unobserved minutes are a prerequisite for a successful bypass. If things have to happen very quickly, the classic “credit card trick” still works today to push back the door bolt for easy access to other areas.

SEARCH FOR ACCESS TO THE INTERNAL NETWORK

If a physical assessment is included in a red teaming test or if it is explicitly commissioned to be performed, an attempt is also made to steal sensitive company data. For this, the placement of minicomputers, usually a Raspberry Pi, is a tried and tested method allowing access to the internal network and to steal data. All that is required is access to suitable network outlets. In such cases, physical assessments often include the installation of hardware keyloggers that enable the keyboard input of the respective workplace to be read out via Wi-Fi by the minicomputer as soon as employees are back in the office. With the ability to read passwords and other sensitive or critical information, massive data theft is a breeze.

WHAT INSIGHTS CAN A PHYSICAL ASSESSMENT PROVIDE?

The physical assessments of SySS identify system and configuration weaknesses of access control systems, detect technical and organizational process errors, and provide information on employees' awareness of IT and building security. SySS makes recommendations which can achieve higher safety standards with their implementation. In the technical field, this is, for example, the setting up of sensor passages; for process optimization, for example, there are appropriate blocking and reporting periods. In terms of awareness, SySS recommends appropriate training courses aimed at raising the employees’ awareness of security — from locking the PC and closing the office door to handling phishing messages and other social engineering techniques such as tailgating or piggybacking.

By the way: A physical assessment is often also part of red teaming tests according to TIBER-EU, as they are recommended for banks, insurance companies, financial market infrastructures and their service providers.

And finally: One of the few times SySS was exposed as an employee began to wonder — because the behavior of the SySS consultants reminded him of his own earlier work as a tester performing physical assessments.

DO NOT HESITATE TO GET IN TOUCH +49 (0)7071 - 40 78 56-0 or anfrage@syss.de | OUTSIDE REGULAR OFFICE Hours CALL +49 (0)7071 - 40 78 56-99

As a framework contract customer please dial the provided on-call service number

DO NOT HESITATE TO GET IN TOUCH +49 (0)7071 - 40 78 56-0 or anfrage@syss.de

OUTSIDE REGULAR OFFICE Hours CALL +49 (0)7071 - 40 78 56-99

As a framework contract customer please dial the provided on-call service number

GET IN TOUCH

+49 (0)7071 - 40 78 56-0 or anfrage@syss.de

OUTSIDE REGULAR OFFICE Hours

+49 (0)7071 - 40 78 56-99

As a framework contract customer please dial the provided on-call service number