Conjure up an image of a typical hacker and you’ll likely be thinking of a hooded figure launching cyber-attacks from a computer located in some faraway basement. But one rarely considers the dangers that lie closer to home.
Today’s businesses are just as vulnerable to being infiltrated by an in-person ‘hack’ as they are to digital threats launched remotely from cyberspace. The moment an employee kindly holds the door open for a stranger burdened with a tray of takeout coffees and lets the wrong person inside, an organisation’s most sensitive assets are at risk of compromise.
Playing on human kindness is a common tactic employed by physical hackers, who are intent on infiltrating corporate networks by connecting to them directly, gaining unauthorised access to data centres or networks, stealing trade and corporate secrets, disrupting operations and more. Indeed, a study by Google found that 45% of people will plug in a USB they find - and physical hackers are taking advantage of this behavioural quirk to drop malware-infected USBs for workers to discover.
In the wake of the widespread shift to hybrid working models, physical social engineering attacks are on the rise. Yet, while organisations may have doubled down on addressing their resilience to online social engineering attacks like phishing, the security of their physical spaces and assets is often overlooked.
Physical social engineering: understanding the risks
Today’s hackers are proving adept at using physical social engineering techniques to exploit onsite security vulnerabilities and gain unauthorised access to an organisation’s physical premises.
Skilled at using psychological manipulation to trick people into making security mistakes or giving away sensitive information, some of the social engineering techniques hackers use to gain access to a target’s premises include getting someone to hold a door open for them, tailgating an employee to enter a building or restricted area, or posing as someone with a legitimate reason for being on the premises – such as a maintenance engineer or a delivery person.
Today’s hybrid and co-working office environments have created the perfect conditions for a slew of new attack approaches. Employees and contractors are now free to visit facilities at all hours of the day and are no longer familiar with all other workforce members, a scenario that makes workforce management more difficult and means that employees are less likely to challenge someone they don’t recognise.
This leaves physical hackers free to masquerade as new employees in a busy workplace, using hot desking spaces to blend in and look like they belong. Prior to this, they may repeatedly visit a premises in a bid to become a ‘familiar face’ or take advantage of opportunities to mingle with staff when they are taking outdoor breaks to acquire insights that will enable them to access the physical premises. Other common tactics include photographing workspaces to identify potential vulnerabilities or attempting to deliver something that hasn’t been ordered.
Penetrating an organisation’s building allows hackers to pursue a wide number of potential attack vectors. Once inside, they can shoulder surf employees working in hot desking environments to capture passwords and evaluate how best to access high-value assets like server rooms. They are also free to assess the vacant desktops of employees who wander away, leaving unsecured systems and devices open or sticky notes containing passwords freely visible.
Physical hackers frequently change tactics and are sensitive to the prevailing social norms when creating an attack plan. For example, in Sweden, it is much more acceptable to question or confront someone without a legitimate reason to be on the premises compared to the UK, where cultural reticence typically means that ‘calling someone out’ is less likely to occur.
Keep physical security top of mind
Physical hackers are all too aware that organisations have taken their eye off the ball where physical security is concerned and are eagerly exploiting the opportunities that have opened up in the wake of hybrid working. Certainly, physical infiltration has become a tempting proposition for cybercriminals who would rather attempt a physical breach of an organisation’s data than contend with elevated online security strategies.
While today’s organisations invest significant resources in digital cyber security, it is all too easy to forget there is a physical aspect to cyber security that also needs to be addressed. Rather than quite literally leaving the front door open for threat actors to ‘walk in’, organisations should take steps to bolster the physical security of their premises.
Conducting regular penetration tests, where ‘red teamers’ attempt to gain unauthorised and undetected access to a physical location or physical resources, will reveal where the potential vulnerabilities lie. These test procedures enable organisations to assess the effectiveness of their existing security and access control measures and evaluate staff alertness and complacency levels.
Penetration testing can also support the delivery of high impact training for staff, using real-life examples from recent red team engagements to take personnel step-by-step through a simulated attack and show them what happened and why. This not only makes training more relatable and memorable for staff. It also underlines why ‘clear desk’ policies matter and why security doors should never be ‘propped open’, as well as educating employees on the need for vigilance.
Taking a holistic approach to cyber security
Physical attacks represent a very real danger to the security of digital assets, and today’s criminals are not beyond targeting an organisation’s physical security systems – including CCTV, employee ID and verification and badge-control systems – in order to gain covert physical access to buildings. To boost their resiliency, organisations will need to adopt a truly holistic approach to cyber security and ensure that their security and penetration testing extends beyond network fortifications alone to encompass their physical security controls too.