How good is your physical security?

There’s a great story I heard from a security trainer once, which I’ve shamelessly stolen and use in my own courses:

A US corporation decides to introduce an ID badge policy, requiring all staff to wear their badges visibly at all times, and to challenge anyone seen walking around without a badge. Badges are issued, training is given and the policy is enacted. The VP in charge of security decides to test the policy out by walking around without a badge. He’s a senior guy, so unsurprisingly days go by without anyone challenging him; he says nothing, and does nothing, in response to all these policy breaches. Eventually a junior employee who’s just emerged from his security induction comes across the VP and, screwing up his courage, asks to see his badge. The VP demurs with a time-honoured “Don’t you know who I am?”; the employee, following his training and despite his fear of this grand authority figure, insists. The VP eventually produces the badge to the trembling junior, swiftly followed by a congratulatory handshake and a $100 bill. The employee – of course – tells everyone his story. The result – no-one can make it ten badgeless steps inside the organisation without being challenged – in the hope of a swift payday. Carrot beats stick all day long.

My own experience is that physical security in most UK businesses is terrible. Want to get in to a multi-occupancy building with a remotely-activated front door? Push a random bell and say “courier”. Or just wait for someone entering or leaving to hold the door for you. Chances are they won’t make any effort to shield the door entry code, either. Once you’re in the building, you can tailgate someone into an office, or just walk in to reception and make up a sales story. While you’re waiting for someone to see you, ask to use the loo. Nine times out of ten, you’ll be told where it is; no-one will escort you. Then you can wander about, since even if the office has a visitor badging policy, you won’t be challenged – nobody wants to be that aggressive jobsworth who asks to see your badge.

Now that you’re at liberty, I suggest you carry a newspaper. It’s a great hiding place for the printouts, often carefully marked “confidential”, that people leave lying around – or print out to pick up later – and for carelessly abandoned USB sticks. Amazing how often even businesses with a bag search policy, not that there’s many of them, omit to look at a paper under the arm. Of course you can also listen to people’s conversations, have a good look over their shoulders at their screens – and watch them type their password. If no-one’s paying attention, now’s a good time to slip that keylogger into a vacant USB port, press the WPS button on the office wifi so you can connect up to their network, or plug a wireless-keyboard sniffer into a wallport.

I could go on. But this isn’t intended as a guide to physical hacking. One last thing, though. Most businesses ask visitors to sign in, even if they don’t have a badging policy. Very few check that they sign out again when they leave. So what? So the building catches fire. The fire marshal’s job is to confirm that everyone in the building has been accounted for. If the visitor hasn’t signed out, the marshal should assume they’re still there – presumably dying of smoke inhalation in the toilets. Neither the fire brigade nor your insurers will be impressed when you can’t tell them how many people were actually in your office when the fire broke out.

The answer? Well, to deal with the risks I’ve listed in this blog, six simple policies and two technology fixes:

1. Badging. Everybody. All the time. Politeness is the weapon here: train people to ask anyone they see unbadged “Can I help you?”. This is unconfrontational and effective. Clearly, have an incident response policy with appropriate – and safe – responses depending on the reaction from the person being challenged. Remember this isn’t just – or even mainly – about visitors. The biggest risk is sacked or misbehaving employees, so you must challenge even familiar faces (and make sure badges are returned as part of your leaver and suspension processes).
2. Proper visitor control. Have a register; make sure it’s signed in and Have a clear policy for unexpected visitors; have an escort policy and make an internal sponsor responsible for granting regular visitors unescorted status.
3. Clear desks. Again, this is policy – you’ll need to enforce it. Be especially vigilant about removable media, but don’t forget paper.
4. Data classification. There’s no point putting “confidential” in your document footers if you don’t then treat such documents confidentially. Controlled circulation, printing restrictions, easily available shredding facilities – these are your friends.
5. Secure thinking. Train your staff – wetware trumps hardware every time. Ask them not to let people tailgate; teach them to offer help rather than maintain tactful silence. Make them look over their shoulder, especially when logging in or working on confidential material.
6. Equipment marking. Even if you don’t PAT test, have some kind of sticker than identifies your kit. Anything plugged into the network, or into a power port, or even just lying around that isn’t properly marked gets binned. You’ll have to think about your BYOD policy, of course.
7. Turn off WPS. It’s a security disaster: if you have physical access to the WiFi access point, you have access to the network. Even if you have a separate guest WiFi, make sure it’s password-controlled and that you change the password regularly; better still, use a proper access-control system.
8. Turn off USB ports – or if this is too inconvenient (it often is) at least turn on logging of USB insertion, and use a decent IDS to scan for it. Keyloggers and remote control devices are cheap and inconspicuous; the USB protocol is hopelessly insecure; and everything seems to have a USB port these days.

Think I’m being paranoid? You’ll have to assess your own risks. But just remember that random couriers wandering about your office can just as easily drop a laptop into their shoulder bag or pinch a mobile phone; they don’t have to be sophisticated hackers trying to steal your secrets.