Posted by Jim Hartnett on June 2, 2016
During the red teaming process, attackers physically enter target facilities. This testing activity tends to be overlooked or downplayed in security testing results. But, it’s important not to forget that old-fashioned attack methods still work. To guard against a physical security breach, it’s critical that your firm encrypt data. Otherwise, red team assessors, much like real world physical attackers will be able to simply yank a hard drive out of your server and render your firm helpless.
With physical access, many logical controls become useless. For instance, when it comes to domain authentication, kon-boot the domain controller with a new user account in the domain. You may have a strong firewall protecting the internal servers, but to circumvent that physically, simply plug right into the local network switch.
The digital game changes significantly when a physical player walks onto the field. Many security experts can tell you which cipher suite to use for TLSv1.2. However, the art of mechanical lock design has fallen off to the detriment of users. The old credit card trick has worked on the majority of doors tested by my team—despite being trivial to defeat. What was the most common reason for this, you ask? Simply not framing the doors properly.
It doesn’t help businesses that many commercial buildings have poor design elements that are out of tenant control. Problems range from master keying systems held by management (in an unlocked key box) to open drop ceilings between office spaces. There are many considerations that are hard to conceive, but all is not lost.
Humans are the foremost challenge when it comes to physical security. Humans make errors. For example, someone’s unlocked desk may hold un-redacted documents with personally identifiable information (PII) or passwords. And then there’s the error of common courtesy—holding a door open for the person walking into a building or office suite behind them. Employees are told what not to do, but aren’t provided with better—if any—alternatives. Access cards are worn/carried in ways that are easy to steal. Believe it or not, simply providing a lanyard encourages employees to wear their access cards around their necks so they aren’t snatched so easily.
Due to this lack of understanding, many organizations take the security of a physical device at face value. But how can your firm overcome this challenge? A red team assessment provides an organization with a better understanding of the details that aren’t visible at the network layer. A holistic red team approach combines several methodologies including physical entry in order to demonstrate viable attacks. This approach provides insight to the actual risk present in an organization, rather than a list of scan results. Red team assessors can provide your firm with tangible goals based on the visible threats to business operations.
Nothing tells an organization something is wrong more than a breach caused by servers walking out the front door.