Physical Security Breach

It’s interesting to me that some people within security community seem to create such strong divisions between some of the sub-disciplines of information security. Often I’ll find that the CISO I’m working under has nearly no interaction with the groups in charge of personnel security or physical security. I don’t want to get into nitpicking about whether those areas should be folded under a CISO because they probably shouldn’t. However, there does need to be some level of interaction and communication among these groups.

While working for a client recently, I was presented with a perfect example of how things can fall down when these groups do not communicate. This client operated out of a large and very outdated building which had an army of security guards manning doors, but did not have badge readers on any external doors. I didn’t think it would be difficult for an attacker to create a fake badge if they just waited outside the building at around 5pm, and made a mental picture of what the organization’s ID badges looked like.

However, when I did a quick google search for any pictures of their badges, I found that it would be easier than I thought. Someone had accidentally posted an internal memo on badging procedures on the organization’s public web site. This memo included both badge procedures and full color images of what every type of badge looked like. All an attacker would need to do is download and modify these “templates” and print up their own badge which looked as good as the one I was using to get into the office every day. Without needing to have to go the extra step of encoding some information on the badge magnetically since there are no badge readers at this facility, the attacker simply needed to flash the badge to guards and they could come and go as they pleased.

The shocking thing about this attack is not really what they could do- the attacker could do pretty much anything they wanted. The disturbing thing to consider is for how long they could do it. There would be no way to identify this attacker as they walked up and down the halls. They could be coming and going every day for 6 months, mapping out who is where in the building, which areas contain different departments, collecting information on when employees arrive and leave, deploying network sniffers, etc.

In any case, I obviously notified the organization about the mistake, and the memo has been removed from their site. However, the damage may have already been done. Who’s to say one of the people I see there every day is not using a fake badge to gain access. The recent story about TSA’s failure to properly redact a document is similar in that it involved improperly publishing sensitive information and in that it provides attackers with some sort of ID “templates” to use in an attack.

Takeaways here are that it is critical to properly classify all data within the organization, and to build strict procedures for publishing data to the public. These procedures should not interfere with efforts to improve transparency, but some sort of gate reviews need to be implemented to prevent these sorts of data breaches. Also, the fundamental fact that these sorts of incidents exemplify is that physical security is critical. It is the foundation of every other security effort your organization undertakes. The firewalls, router ACLs, inline IDS/IPS, VPN and other perimeter controls you’re so focused on implementing are rendered absolutely useless the second an attacker can walk in the front door.

I know this stuff is obvious, but given these incidents it is absolutely worth mentioning again. This is just like in sports- you have to constantly work on the fundamentals. Build your overall security “game” upon that.