When business leaders think about protecting data, images of faceless hackers breaking into the virtual network of their organization to abscond with it typically fills their minds. What is often overlooked by many businesses is the security of the physical business, which is just as important, if not more so, than virtual security such as antivirus and firewalls. The fact of the matter is that when I conduct security audits called penetration tests, or pen tests, for businesses, I often find physical security issues that could result in data loss and much worse.
I always test doors and locks when conducting pen tests. About 95 percent of the time I conduct these tests, I find problems with either a door or a window that is very easy to open. User-friendly doors with motion sensors, electromagnetic doors, and those with crash bars are incredibly simple to bypass from the outside (See our video here).
Many companies install locks and doors that don’t do an effective job. While a door may appear to be closed, that doesn’t mean it is locked and just because you lock a door you must know the mechanism can still fail. This is especially true if a door or lock is not installed properly. I often find locks that are improperly installed so they can be opened with a credit card or a thin piece of plastic. Something as simple as the angle of the lock facing the exterior of the door can make a building a piece of cake to break into.
Another issue that can occur at installation is if the hole in the door frame is drilled too large for the lock button. This can cause the small button of the lock to fall in, leaving the lock completely ineffective as a result. Bad guys know this stuff and it can lead to serious security problems.
Doors with motion sensors open up fresh opportunities for those who would do harm to your company. Motion sensors can be bypassed with compressed air or by inflating a balloon through cracks under or between the doors. There are many ways to get past these security devices.
There is a list of other things that can lead to security failures where doors are concerned including safety regulations. Most commercial properties cannot have a deadbolt on exterior doors due to fire code. Insider threats such as someone stepping out to smoke and putting something in the door to prevent it from closing can also create an opportunity for would-be thieves. During the last pen test Dox conducted, we found exterior doors that could be easily accessed. Remember, once a bad actor is through an exterior door, interior doors are even easier to get through if they are even locked at all.
Windows and Other Entryways
Upper-level windows, fire escapes, and roof accesses are often overlooked when it comes to security. An unmonitored, unlocked roof access or upper story window makes entry easy for thieves. An open bay door where truck deliveries are made is another means of access for those wishing to do your business harm. By arming themselves with a clipboard, bad actors can appear to belong at your business when they are really there to cause trouble and thieves are the best liars so they always have a cover story ready.
While I understand the purpose of alarms at doorways and windows, such alarms provide a false sense of security in many instances. To begin, alarms are typically off during the day when businesses are open and employees are in the building. This makes it is easy for those up to no good to blend in during the day as an employee, customer, delivery person, or maintenance technician. This is especially true in larger businesses and cities. Someone can come in during the day to case a business, checking for motion sensors, video cameras, and other forms of security measures and the alarms have done nothing to protect the business.
Another security measure that typically provides a false sense of security is the use of identification badges. Businesses and organizations often require a badge for entry but not a code. We have become a very convenient society so your badge often doubles as an alarm code. At the time these types of badges became popular among businesses, no one was thinking about how easy it would be for them to be copied.
A good ID badge system lets you know if someone belongs in your building immediately and requires a code in addition to the use of a badge. At roughly 75 percent of the places I visit to perform pen testing, I can easily copy the badges. The copying of badges has become so simple in fact, that I can typically copy a badge to create a fake one just by passing someone who has a badge. In the last two months, there has been only one badge that I have not been able to duplicate.
The best way to utilize badges to beef up your security is to use multifactor identification on your badge doors. This involves implementing the use of a key code in addition to the badge. I can clone a badge card from up to three feet away but if there is also a keypad with a personal identification number (PIN), I don’t have a way to easily beat that system. Integrating the use of a key pad with badges is a cheap and effective means of mitigating the efforts of bad guys.
It’s a well-kept secret in business that most places don’t watch surveillance video unless there is a break in or they have someone monitoring the cameras constantly. Small theft is not so noticeable and video is often overwritten after a week’s time. This makes it nearly impossible to catch small, repeated theft. Or, if a theft goes unnoticed for a period of time longer than a week, all of the evidence is gone.
To increase your security using video cameras, it is imperative that all video is kept for at least 30 to 60 days if not longer. Some federal and state regulations require keeping security video footage for up to six months. PCI DSS v3-2-1 requirement 9.1.1 says to store surveillance data for at least three months, unless otherwise restricted by law.
A 2017 Data Breach Investigation Report by Verizon showed that 25 percent of breaches involved internal actors. Internal threats to a company can be the result of a disgruntled employee who feels they are not being paid what they are worth, has been passed over for a promotion, or just dislikes their supervisor. Others may be offered money, another job, or other rewards for stealing data for a third party. Though some internal threats are conscious, others are simply accidents or a lack of training. Something as simple as an employee stepping outside to smoke a cigarette can become a major insider threat to a company’s security.
There have been times I have just followed people into a building and no one even asked for identification. People often assume I am a maintenance man or have a key but rarely does anyone ask me who I am, why I am there, or for identification allowing me to be inside the building. Once someone is your building, it is easy for them to take data or plant something such as devices that can steal data off your network.
Trash Cans and Other Containers
This is a place where data thieves can always find something good. Trash cans, garbage bins, shredders, and file cabinets are all places where proprietary data can fall into the wrong hands. Many of the industries we work with are regulated in regard to the proper storage and disposal of data. File cabinets should remain closed and locked, old data should be shredded (see our blog on the proper disposal of data), and garbage should be put outside just before pickup.
Fences and Gates
Fences that have gates that roll out automatically can lead to real security issues. These types of gates typically work utilizing a sensor in the ground. Such automatic gates make it simple for someone to follow an employee or a delivery person into the premises. When someone is leaving, the gates open from the inside out but this can allow room and time for a thief to sneak inside the fencing. I can cheat these gates and there are even videos online that demonstrate how to cheat the underground sensors.
What makes these types of gates an even greater threat is that if I enter a building from a fenced-in area, no one is going to challenge me. Again, our society has become one of convenience at the cost of security across all industries from hospitals and manufacturing to financial. Convenience is why there is not a facility that I can’t get into as an ethical hacker.
A live guard can be a plus to security but if a thief wants in, even this cannot deter them. Someone who wants in your building to steal something or plant something can watch the guards to learn their schedule and strike as soon as they leave.
Business leaders need to know many regulations require companies to retain their system logs for six years. This is a standard guideline for many organizations in a variety of fields including those regulated by the Health Insurance Portability and Accountability Act (HIPAA), the Defense Federal Acquisition Regulations Supplement (DFARS or NIST 800-171), the Federal Information Security Management Act (FISMA), and the NIST-800-53, a publication that recommends security controls for federal information systems and organizations. This means all data from firewall logs, server logs, and intrusion detection logs, among others, must be kept for six years and many businesses don’t have a capacity for that type of system log storage.
And the Solution Is…
To truly secure your business and data, business leaders need to invest in hiring a security expert, not a locksmith. It’s best to hire someone who knows how to break into companies. You need an ethical hacker, a pen tester, like those here at Dox Electronics. We can show you how someone could evade your current security measures in order to break in and how to address security weaknesses. We even offer services such as system log storage and virtual security to best protect your business.
Should you have any questions or wish to schedule a free consultation, please contact Dox now at (585) 473-7766. Thank you for your time and stay safe both on and offline.