Cyber Security is a topic I feel quite passionately about. The years I spent studying Cyber Security and Networking at university, and then going on to work as a Cyber Security Analyst at a small ISP, are to blame.
Security is an aspect that needs to be considered at pretty much every level of the technology stack, and it’s widely accepted that a secure defensive posture doesn’t end with digital tech alone.
Physical perimeter security is also required to harden the cybersecurity profile of organisations of any size. For example, I’d consider implementing keyless entry security locks, which require employee ID badges to the premises for a start.
Even better would be having physical barricades at entry points, with manned security posts at the same entryways. This might sound like overkill, but these precautions are precisely what I stumbled my way past on route to a recent job interview.
Confidence and the Kindness of Strangers Leave Firms Vulnerable
The day of the interview I arrived at the business park where the office was located just as the working day was winding down. As I approached the building, I was greeted by numerous employees leaving for home.
Thankfully, one was kind enough to hold the door open for me, allowing me to pass through the first layer of controlled access unimpeded. I then approached the security desk and security gate to ask for assistance in locating the office where the interview would take place.
The security staff, who were too busy to help me, were standing by the security gate using their own security passes to allow staff to funnel through the secure entry and exit point.
I walked up to the gates, nodded and smiled at one of the security staff members, and walked through. Confidence -acting like I belonged – prevented me from being stopped for a second time. It’s important to note that I wasn’t trying to gain unauthorised access to a building with malicious intent.
At this point, I believed I had an appointment at 5:30pm at an office in this block. So, naturally, when I approached the elevators and realised I needed an ID badge to activate them, I began walking back to ask for assistance from the security staff.
But as I started to move away the elevator doors opened, and more workers spilled out. Seizing the opportunity, I entered the lift, pressed the floor number and kept on my way to the office I was trying to reach.
At this point, I hadn’t given a second thought to the now three levels of security I had stumbled through by simply taking advantage of the kindness of strangers. It wasn’t until I exited the elevator and found myself walking into an empty office, with an elevator that I couldn’t summon behind me and an alarmed stairwell to my side, that I realised just how far I’d gotten.
I checked my email using my phone, and confirmed my fears – my interview was scheduled to take place the following day. While this explained the dark, deserted office, it led to a further realisation – I was trapped.
Physically Compromising a Network is Easier Than You’d Think
It was morbidly fun speculating what I could have done had I been a malicious actor seeking to compromise this office’s network. With a secure physical perimeter being so fundamental for the overall security of an organisation, it’s staggering how prone to human error it can be.
Just imagine what can be achieved when the physical security of a building is compromised, and its core infrastructure left completely unchecked.
A LAN Turtle is a covert hardware tool that’s capable of stealthily providing remote access, intelligence gathering, and man-in-the-middle monitoring capabilities on a target’s network.
In my situation, maliciously deploying a device like this would have been a simple case of pre-configuring the Turtle and plugging it in between a target machine and that machine’s Ethernet cable.
From one simple but deliberate action, a target’s network could be critically compromised.
Hypothetically, I’d have a backdoor into the network and/or reporting capabilities of all traffic being sent or received from the machine I’d connected to. This is a form of a man-in-the-middle attack, where the malicious device sits between two nodes and intercepts network traffic.
A slightly more advanced avenue of attack, which could be easily exploited with free access, would be installing key-logging hardware called a Bash Bunny – a powerful multi-function USB attack platform used by ethical hackers and penetration testers alike.
Key traits include its easy setup and deployment through a simple ‘Bunny Script’ language and a centralised repository of payloads. For such a simple plug and play device, its multiple attack vectors (including HID keyboard which simulates keystrokes while performing a keystroke injection attack) make it a formidable deployment.
With enough preparation in pre-configuring the Bash Bunny can begin keylogging in an instant.
Three Key Takeaways About Physical Firewall Vulnerabilities
The three lessons I took away from my ‘Walk Past the Firewall’ experience directly impacts my perception of what it takes to have a secure IT environment outside what would normally be considered.
Firstly, staff training is essential.
There’s no point for a business to be investing heavily into physical and environmental security for it to be entirely undone by staff all too eager to assist a friendly stranger.
Remember, having staff aware of the dangers of allowing tailgaters could have prevented me from bypassing the first, second and third layer of physical security.
We’re British which means we’re known for our politeness, but we must prioritise security over common courtesy and not be afraid to ask an unfamiliar face if he or she has permission to be where they are.
Better Planning is Fundamental to Physical Cyber Security
Better planning and implementation of physical security are equally fundamental. A lot of businesses may implement extensive physical security, but if these precautions are easily bypassed why bother with the investment in the first instance?
For example, physical barricades look impressive and are capable of enforcing access control – so long as they are continually supervised. A glaring flaw with almost all of these ‘secure’ barricades is that they use infrared light sensors to track individuals that pass through them.
These sensors are easily exploited when you follow close behind someone who scans their badge and blocks the sensors with something (such as a folder or briefcase), thus keeping the gate open. To ensure the efficacy of physical barricades for access control, continuous supervision would need to be present to identify aggressive tailgating.
Educating Staff on Company Procedure is Crucial
Lastly, and most importantly, rules and procedures should surround these physical measures. It’s relatively easy for a malicious actor to gain access to a physical location using observation, confidence, and a little bit of preparation.
But if there are rules that all employees must follow to move from location to location, the social engineering techniques used to exploit employees are immediately eliminated – so long as these rules and procedures are followed.