Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

Physical Security: the Most Overlooked Component of Your Cyber Security Program

02 juni 2023

door NCC Group

Securing your organization’s assets from a sophisticated electronic attack is at the foreground of discussion for security in the modern threat landscape. Less discussed but just as critical is the susceptibility to physical attacks. Physical attacks are a very real and present threat to securing digital assets, as seen for example in the 2019 compromise of NASA Mars Rover data by a rogue Raspberry Pi.

Most organizations handle digital threats independently of those in the physical realm, and therefore struggle to understand and articulate the consequences physical security has on cyber security. Physical locations, such as company headquarters, can almost always provide access to internal and otherwise-restricted data. This can provide a trivial method of gaining a foothold into an organization that may have spent millions on cyber security but is lacking on its physical counterpart.

Many organizations fall short on physical security

Understanding how someone can gain physical access to an organization, as well as the risks to digital assets from physical compromise, is important to properly protect data and business operations. Yet, many take physical security for granted: the presence of biometrics, RFID readers, security patrols, CCTV cameras, and even barbed wire fencing may provide peace of mind to already-honest people, but they are all easily bypassed by a dedicated attacker.

The compromise of physical controls can give an attacker access of digital controls, such as being placed on a sensitive subnet within an office space. Alternatively, it is also possible to compromise physical controls through compromised cyber assets, such as gaining access to internal CCTV or badge-control systems. Doing so can be as simple as plugging into an ethernet port, planting malware, or manually exploiting unlocked laptops, and even finding sensitive credentials written down in sticky notes.

Simply put, establishing your company’s physical security baseline (or maturity) is as important as establishing the cyber counterpart. Yet, the vulnerabilities associated with people and premises are often overlooked. Many organizations’ operational procedures and physical security hardening are not well established, have gaps in coverage or capability, and are not adequately tested—nor with regularity.

Common examples of physical security vulnerabilities

It is important to know the risks related to physical security in order to evaluate vulnerabilities which could allow for each risk to manifest. Equally important is the need to understand the probability and impact of these risks to determine how and where to invest in additional controls.

For each risk listed below, there are various detective, preventative, and corrective controls that can be put into place.

Take the theft of an asset from an unknown person as an example. It would be possible to add sensors near assets you are protecting (detective), add signs and locks (preventive), and preventing physical access to the asset (corrective).

Expertise Icon 3

Unauthorized access to sensitive and corporate networks

Software Resilience Icon

Theft of assets or data

Expertise Icon 1

Malicious devices planted or "bugged"

Expertise Icon 1

Safety critical events

Expertise Icon 3

Harm to employees

Remediation Icon

Damage to property

Expertise Icon 2

Network disruptions

Leverage a variety of physical security assessments

The importance of a physical security assessment

A physical security assessment is a test designed to evaluate and set forth a plan to remediate vulnerabilities in physical defenses such as doors, locks, cameras, walking paths, security guards, and so on. It can help identify the effectiveness of the controls in place, not just the design of the controls.

These assessments can discover ways to bypass controls, however they will also help provide a defense-in-depth strategy. This means that if a compromise happens in the physical or digital realms, it is contained to one or the other, ensuring the safety of the whole. A physical security assessment can map out the entire attack chain, highlighting how each issue is exploited and providing steps for remediation. With this in mind, physical security assessments should be considered a requirement, even outside of compliance mandates, and should take into context the impact other areas of the business.

This should be completed annually (outside of compliance work) to test the maturity and
effectiveness of physical controls. Doing so will help identify the immense gaps left by compliance standards, from policy and procedures to hardening physical controls. After all, adversaries attempting to exploit physical controls will move on or give up if the time and effort is too substantial— just like an adversary attacking from the internet.

When planning physical assessments, it is critical to consider the business context as well as potential threat actors, such as hacktivism or organized crime. This will help you select the right type of physical assessment to fit the various needs of your organization. During a vulnerability assessment, you will
likely learn that your attack surface is greater than you once thought it was. During a penetration test, the focus will be to assess your existing controls and even emulate your organization’s threat actors.

Physical Vulnerability Assessment

Commonly referred to as a white-box security assessment, the company being assessed will provide the maximum amount of information or documentation about their security controls, potential weaknesses, and physical security procedures. The assessor will then identify vulnerabilities and suggest improvements. This can be accomplished through policy reviews, blueprints, stakeholder interviews, review of evasion and circumvention protections, modeling of likely attack scenarios, and even live demonstrations.

Physical Penetration Test

Commonly referred to as a black-box security assessment, the company being assessed will provide only limited information regarding internal security controls; the assessor will then identify ways to gain physical access to key assets. During physical penetration tests, experts will gather intelligence and try to gain covert physical access to a building. This typically includes circumventing controls, taking advantage of ineffective controls, and developing a thorough attack plan to account for variations.

Combination Assessment

Commonly referred to as a full-spectrum security assessment, this method combines several attack vectors and threat actors into one engagement. These are fully custom projects specific to a particular organization to simulate as closely as possible a series of real-world scenarios. They are also the evolution of traditional red teams but without limitations and should only be used for the most mature organizations.

Checklist: Physical Security Assessment

  • What is your attack surface and do you have it documented?
  • How many physical locations will you test?
  • Are any third-party sites in scope and do you have approval to perform testing?
  • Do you have to notify anyone that this testing will occur?
  • Will the testing team require escorts to be close by?
  • Who is the on-site contact for each location?
  • Will there be an operational impact if an intrusion is detected? 
  • If an intrusion occurs, how is it handled and what is the chain of alerting?
  • Who is the sponsor for the project (if this is for internal audit vs. IT security vs. corporate security the approach, methods and reporting might be different).
  • Are there any restrictions?
  • Are there armed guards or guard dogs?
  • Will you allow simulated attacks or covert intrusions?
  • What month will testing occur and why?

Scoping example: PCI

For the purposes of a PCI Report on compliance, you need to provide documented evidence (e.g., policies, procedures, and evidence) of controls. You will also need to have a Qualified Security Assessor (QSA) observe and test the controls/requirements that are in place. The QSA will meet with physical security control owners and operators to verify how individual controls are being met and will do this through interviews, observations, and testing. During a PCI audit, the scope of the test is a subset of the enterprise, not the whole enterprise. The scope of a PCI audit is any part of the network or physical locations that process, transmit, store, or can impact the security of the cardholder data environment— not the whole enterprise. PCI audits will not test bypasses to certain physical security controls if they are not in scope or may not evaluate all defense-in-depth measures which are meant to prevent data access. PCI audits involve testing and reviewing physical security controls. However, a PCI audit does not attempt to circumvent those controls, unlike a physical security audit. By attempting to bypass physical security controls, you can go one step further to demonstrate if physical security vulnerabilities can impact the protected data.

Note:
This is how FedRAMP approaches penetration testing.
Physical security Assessments help provide
an attacker’s point of view on operational soft
spots. Soft spots that, when exploited, can
be used to gain access to sensitive security
enclaves by bypassing controls and evaluating
defense-in-depth.

Ensuring an accurate scope for your organization

In short, the scope of each type of physical assessment will vary based on the organization’s unique risk profile, the maturity of its security program, and how it operates as a whole. In addition, if physical security has been previously tested, this will impact the approach an assessor will want to follow; it will likely also influence budget allocated to the test (thus impacting scope).

The scope of a physical security assessment typically involves a location(s) and the associated assets. A larger scope will always provide more value than compliance assessments or other audits that have a narrow and/or restrictive scopes.
Furthermore, a physical security assessment will help harden operational system and physical security as a whole, whereas other audits might only look at physical security as a sub-category of a control framework assessment.

If hardening physical security is a goal of a penetration test, you might see findings related to:

  • External landscape and site design
  • External features
  • Building perimeter security (Examples can include:)
    • Building inventory – Points of entry & exit
    • Building analysis – External door access controls
    • Building analysis – Alternative points of entry
    • Building analysis – Methods of perimeter access control
    • Monitoring & alerting – External use of alarms, sensors, & IDS
  • Security personnel
  • Policies and procedures
  • Internal layout and design (Examples can include:)
    • Building analysis – Main entrance vestibule & lobby
    • Building analysis – Methods of internal access control
    • Monitoring & alerting – Internal use of camera monitoring
    • Monitoring & alerting – Contraband search & detection
    • Monitoring & alerting – Internal use of alarms, sensors, & IDS

Below, you will find a checklist of sorts for a typical physical security assessment. It is not intended to be an exhaustive list of scoping considerations but should help you get started. Once a project is established, there are additional rules of engagement considerations that need to be thought through.

Physical security reaches beyond compliance

Traditionally, companies will test physical security as part of a compliance audit (e.g., SOC2) and will stop there. Organizations go through a variety of audits which might scratch the surface of a physical security assessment, but the intended purpose is not enhancing the resiliency of physical controls to prevent data and/or asset access/theft. As previously stated, meeting physical security compliance does not mean you are protected from threat actors targeting your assets.

Some examples of different audits that might touch upon physical security include PCI, VISA Physical, Occupational Health & Safety (OSHA), FedRAMP, CMMC, and HIPAA (to name a few). However, a distinct physical security assessment can help supplement many of compliance-based assessments. Unfortunately, today’s compliance frameworks remain ineffective and inadequate in addressing sophisticated or even
rudimentary threats. NIST, FISMA, SOC, and other compliance standards that mandate certain physical controls may keep out your standard pedestrian but do little-to-nothing against organized social engineering attacks, or even an adversary that knows how to bypass alarm systems. As a result, enhanced controls must be developed to mitigate attackers that are not bound by rules, time, or budget.

Physical security in regulatory frameworks

Several frameworks, standards, and regulations exist that have physical security components.

Cyber Security Maturity Model Certification. The Cybersecurity Maturity Model Certification Framework (CMMC) is the Department of Defense’s (DoD) response to growing threats. Physical security is one of 17 capability domains that has associated practices and processes across 5 levels of maturity.

FedRAMP. The Federal Risk and Authorization Management Program (FedRAMP) is a standard applicable to any cloud service provider (CSP) that is providing cloud services to the U.S. Federal Government. States and local governments are beginning to provide preference in procurement to solutions that are FedRAMP authorized. Physical security is a key area of FedRAMP and the physical environment is part of the required attack paths that need to be included during penetration testing. Note: FedRAMP is similar to CHECK.

CHECK. The IT Health Check Service, (CHECK), exists primarily for the benefit of Her Majesty’s Government (HMG) and UK Critical National Infrastructure (CNI) end users who wish to have their sensitive IT systems and networks checked for vulnerabilities. Companies belonging to CHECK are measured against high standards set by the UK Government’s National Technical Authority for Information Assurance (CESG). This scheme is designed for companies doing work in the UK and requires them to invite security experts to identify IT security weaknesses through practical expert testing by an independent and qualified third party.

PCI DSS. PCI DSS applies to any company that stores, process, or transmits credit card information. Requirement 9 specifically talks about physical security controls, however physical security is also referenced in other requirements, including Sections 8, 10 and 11

Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA applies to Covered Entities and Business Associates; these are companies that come into contact with electronic health information. HIPAA is broken into 3 types of safeguards: Administrative, Technical, and Physical. These safeguards are then further broken down into addressable and standard implementation specifications.

Health Information Trust Alliance (HITRUST) Framework v9.2. HITRUST is a security framework that maps to various regulatory factors (e.g., FedRAMP, FISMA, HIPAA, CMS, ISO 27001, NIST, FFIEC and more) and is based on levels of security maturity. The framework has 19 domain categories which are then broken out into control objectives and control specifications. Control specifications then map to control statements and control levels which number into the hundreds for a single assessment. One Domain includes Physical & Environmental Security as a control category. There is an additional category for Equipment Security, which includes things like security of off-premises equipment and secure disposal or re-use of equipment.

NERC Critical Infrastructure Protection (NERC-CIP). NERC CIP is a set of standards designed for the U.S. Bulk Electric Grid. The standards lay out of number of requirements, measures, and compliance monitoring specifications. Compliance monitoring includes compliance audits, self-certifications, and spot checking—all of which could be enhanced from a distinct physical security assessment to validate physical security controls and how they could be circumvented. Most compliance assessments want to see that you have developed a control but testing procedures for validating controls can be insufficient or non-existent. This means that validation can sometimes be limited to simply reviewing a policy and procedure, observing a sample of the control, and/or interviewing a control owner to confirm a control is in place. A physical security assessment can take that a step further to ensure that a control is operating as intended, meaningful protections against your threat profile are provided, and your organization understands how that control could be bypassed. This goes further than checking off a compliance requirement, and instead emulates a sophisticated adversary trying to access your assets.

For compliance purposes, organizations will want to demonstrate how they handle:

  • Employee identification & verification
  • Searching possessions & advanced screening
  • Physical inspection & patrols
  • General visitor greeting & handling
  • Deliveries & special use visitor handling
  • Information & logistics services
  • Badge challenges & anti-tailgating precautions
  • Security incident reporting

NCC Group performs physical security penetration tests for a wide variety of companies and industries. If you have sensitive assets protected by physical security controls, you should perform an annual security assessment to help validate controls and reduce risk.

Our team of experienced consultants can verify that your physical security controls are operating effectively but can also help identify if you have blind spots in your physical security program. Whether this is your first physical security assessment or if you’ve experienced one in the past, our team can guide you through an assessment to improve your resiliency.

 

Authors

Justin Orcutt, RMG Specialist, NCC Group

Kurt Osborne, Manager, NCC Group

Robert Moore, Red Team Lead, Wayfair

Get your physical security controls up to speed.

Don't overlook these crucial components- contact us to find out how NCC Group can assess and enhance your organization's physical attack security.