10 steps to lower the chances of a physical security attack

The risks of a physical security breach

A physical security attack can cause at least as much, or even more, damage than a cyber attack. Investments in digital and physical security need to go hand in hand, otherwise vulnerabilities will be created. Moreover, as investments in cybersecurity increase, criminals will shift their efforts towards physical breaches, since most security technology solutions still date back to the 20th century. The most common risks are listed below.

1. Theft of documents or company assets

Unauthorized access may lead to stolen confidential documents, desktops and hard drives. Although most assets can be replaced easily, the data stored on them might be lost forever. Or even worse, the data stored on the stolen assets can contain sensitive company information, which might lead to new cyberattacks.

2. Damaged equipment

A break-in usually results in damaged equipment. It will take time to replace the damaged assets or downtime associated with broken equipment.

3. Server room access

Many companies still have server rooms. Unauthorized access can cause immense damage: remote access can be set up, information can be copied, remote monitoring can be implemented, bugs can be installed, etc. Besides these risks, detection of this type of breach will be very hard.

4. Greater access to employee identification information and passwords

A lot of people still write passwords down in a notebook or on a post-it. This information can be easily retrieved and used for a cyberattack in a later stage. Next to this, unguarded and unlocked desktops also form a major threat to retrieve confidential information or passwords.

5. Business reputation damage

The consequences of a physical data breach, such as company downtime, data leaks and uncertainty, can lead to reputation damage and lost business.

The methods of physical security attacks

Most physical security attacks are hard to detect, since they're very subtle. The most common methods are described below.

1. Social engineering

Social engineering is a manipulation technique to obtain sensitive information, such as passwords, access badges or company intel. Tailgating is an example of social engineering where an unauthorized individual directly follows an authorized individual as he or she passes through access control. Another example is the "coffee trick". This form of social engineering occurs when an unauthorized individual holds a coffee cup in one hand and documents in the other hand. Out of friendliness, most unsuspecting employees will hold the door for the unauthorized individual. Social engineering can go much further than the previous examples. Attackers can pretend to be contractors, journalists or company management from another branch to gain physical access.

2. Access system hacking

Another way of breaking into a building is by hacking the access control system. For example: by eavesdropping an unauthorized RFID reader can listen to conversations between an RFID tag and an RFID reader to obtain access data. D. Maldonado, a Security Researcher, has demonstrated that RFID cards can be remotely copied in a matter of seconds at DEF CON 25.

Eavesdropping can also be used to overhear lock codes, pin codes, and security passwords. Unsecured network communications is one of the primary triggers for an eavesdropping attack.

3. Physical break-in

A third, and less subtle, method is a physical break-in. Usually, these break-ins occur when there's no surveillance system, no security guard on site or when the response time is slow.

Steps to prevent or lower the chances of a successful physical attack

1. Institute a clean desk policy
2. Educate employees on the risks of physical security breaches
3. Have an up-to-date password policy
4. Keep track of all visitors
5. Log security events, identify vulnerabilities and improve constantly
6. Perform physical penetration tests on a regular basis with multiple companies
7. Implement a biometric layer to the access control solution
8. Let employees lock their computers when they leave their desks
9. Dispose confidential documents by shredding them
10. Never leave visitors unattended and report suspicious activities