What is the point of an organization spending millions of dollars to secure its networks with advanced data-protection software, only to forget about plugging its physical vulnerabilities? Physical security of data is often taken very lightly, with most people not even realizing that hackers find it way too easy to walk in through the front door.
A malicious hacker can penetrate any system or network if they can just gain physical access into a building or data center. For this reason, searching for any fixing any physical security loopholes before hackers exploit them is paramount.
Malicious hackers are always on the lookout for any physical a. For example:
- Lack of front-desk personnel to monitor entry and exit of people.
- Lack of a guest sign-in book or an escort for visitors.
- Failure by employees to verify the identity of uniformed vendor servicemen or repairmen who claim they have permission to work on computers or copiers.
- Using conventional keys that anyone can make copies of.
- Computer rooms that can be accessed by the public.
- Doors that do not close properly.
- Laptops, tablets, and other digital devices left lying around unattended.
- Failure to shred sensitive information and throwing it in the trash instead.
These are just a few examples of some of the vulnerabilities that malicious hackers can easily exploit to gain physical access to a data center.
The Security Plan
There are many different security options in place today, and as a hacker, you will have to figure out what kind of security apparatus is protecting your target. You will also have to plan how to avoid and exploit these physical security measures.
The interval between reconnaissance and the eventual attack may be days or even weeks. It takes time and skills to carry out a well-coordinated and successful physical breach. This requires a hacker who has diverse skills and knowledge, not to mention patience, agility, mental alertness, and physical fitness.
Factors Affecting Physical Security are:
1. Site Selection and Building Design
Anyone keen on securing a facility will have to think of choosing the right site. A hacker therefore also has to consider how to circumvent the perimeter security. You will have to determine how the perimeter has been secured: fences, barriers, walls, guards, dogs, etc. There may also be secondary physical security measures such as access control and alarms.
Also Read: Top 10 Common Types of Hacking Attacks
A hacker needs to have knowledge of any weaknesses in the physical planning of the facility being targeted. For example, a building may be surrounded by a wall but has large trees all around it, with branches extending inside the perimeter wall. A hacker who is agile and physically fit can simply climb a tree and jump over.
A hacker also needs to watch out for any internal security measures once they gain access into the compound. These may include access controls, intrusion detection systems, and personnel IDs. There are also certain aspects of a facility that a hacker can observe, learn, and exploit. For example:
- The positioning of security lights.
- The presence of shadows and dark areas as potential hiding spots
- The location of dumpsters in case dumpster diving for information is necessary.
- The positioning of security cameras and blind spots.
- Presence and location of fire extinguishers that can be used to cause damage.
2. Access Controls
When talking about physical security, access control refers to the control of the use of physical spaces by an authority. This determines who has access to what, where and when.
Most facilities tend to use either people (security guards and maybe dogs) or some form of device (locks and keys).
A hacker must know the extent of a building’s access control points. In most cases, there is access control at the entry and exit, but what about the inner doors into rooms? Can you roam around freely once you get through security at the front entrance? If the doors inside the building require keys to unlock them, then the right keys must be stolen or duplicated.
If it is difficult to get copies of the keys you need, then lock picking is another alternative. Picking a lock is not that difficult to learn. Most door locks tend to be of the pin tumbler variety, where you have an inner and outer cylinder. To open a door, all you have to do is rotate the inner cylinder. If the lock is cheap, for example, for filing or medicine cabinets, then picking it is easy.
You can get cheap lock-picking kits online and read some instructions on how to pick the standard door lock. If it is a keyed entry door, you can consider placing a spy cam in a strategic position to learn the code.
3. Intrusion Detection Systems
This is a system that is designed to scan a network and monitor a facility for malicious actions or violations of policy. This can be through CCTV or motion detectors. There have been advances in these systems, with the design of Intrusion Detection and Prevention Systems. Such a system doesn’t just monitor events; it prevents attacks on the network.
CCTV cameras are the standard in video surveillance of buildings. Security guards sit in the control room and monitor every area through the array of cameras installed at strategic places. Motion sensors can also be installed to alert security of unwanted intruders.
Most CCTV systems have a weakness — blind spots. These are areas where the cameras cannot see. Any hacker planning to attack a facility with CCTV cameras must first get to know exactly where these blind spots are. The cameras may be web-based or wireless.
Either way, it is possible to hack into the camera feed and manipulate what the security personnel see. It is also possible to jam the signals of a wireless camera.
It is also important for a hacker to understand the kind of response that security will have when an alarm goes off. Will the police be called? Will the doors automatically lock and cut off a means of escape? Knowing the response of an intrusion detection system may provide a hacker with an advantage.
4. The identity of the personnel
Most organizations hand out ID badges as well as user IDs to their personnel. This makes it easier for them to go about their daily duties. Computer programs are also used to monitor the identities of employees who create and modify existing directories and files.
The movement of employees in restricted areas is also tracked and records kept.
Suggested Read: Top 9 Reasons: Why Hacking Is Absolutely Necessary
It may be possible to make a fake ID badge or steal one from a bonafide employee. You may also come in as a guest and lose your escort. Another way to gain entry into a restricted area is “tailgating.” A hacker can pose as a salesman and pretend to help a legitimate employee carry a tray of food into a data center. Most people would look at the situation and open the door for you since your hands are full.
You can also hang out in the smoking zone and follow an employee into the building, as you pretend to have a conversation with them. You can even pretend to be talking on the phone or be on crutches, prompting the employee to help you through the door.
Impersonating genuine salespeople, technicians, or contractors is a surefire way to enter a building without raising eyebrows. All you need is a uniform, and if you prefer, get a service truck and some equipment to make you look like the real deal.