Physical Security: the Most Overlooked Component of Your Cyber Security Program

Securing your organization’s assets from a sophisticated electronic attack is at the foreground of discussion for security in the modern threat landscape. Less discussed but just as critical is the susceptibility to physical attacks. Physical attacks are a very real and present threat to securing digital assets, as seen for example in the 2019 compromise of NASA Mars Rover data by a rogue Raspberry Pi.

Most organizations handle digital threats independently of those in the physical realm, and therefore struggle to understand and articulate the consequences physical security has on cyber security. Physical locations, such as company headquarters, can almost always provide access to internal and otherwise-restricted data. This can provide a trivial method of gaining a foothold into an organization that may have spent millions on cyber security but is lacking on its physical counterpart.

Many organizations fall short on physical security

Understanding how someone can gain physical access to an organization, as well as the risks to digital assets from physical compromise, is important to properly protect data and business operations. Yet, many take physical security for granted: the presence of biometrics, RFID readers, security patrols, CCTV cameras, and even barbed wire fencing may provide peace of mind to already-honest people, but they are all easily bypassed by a dedicated attacker.

The compromise of physical controls can give an attacker access of digital controls, such as being placed on a sensitive subnet within an office space. Alternatively, it is also possible to compromise physical controls through compromised cyber assets, such as gaining access to internal CCTV or badge-control systems. Doing so can be as simple as plugging into an ethernet port, planting malware, or manually exploiting unlocked laptops, and even finding sensitive credentials written down in sticky notes.

Simply put, establishing your company’s physical security baseline (or maturity) is as important as establishing the cyber counterpart. Yet, the vulnerabilities associated with people and premises are often overlooked. Many organizations’ operational procedures and physical security hardening are not well established, have gaps in coverage or capability, and are not adequately tested—nor with regularity.

Checklist: Physical Security Assessment

• What is your attack surface and do you have it documented?
• How many physical locations will you test?
• Are any third-party sites in scope and do you have approval to perform testing?
• Do you have to notify anyone that this testing will occur?
• Will the testing team require escorts to be close by?
• Who is the on-site contact for each location?
• Will there be an operational impact if an intrusion is detected? 
• If an intrusion occurs, how is it handled and what is the chain of alerting?
• Who is the sponsor for the project (if this is for internal audit vs. IT security vs. corporate security the approach, methods and reporting might be different).
• Are there any restrictions?
• Are there armed guards or guard dogs?
• Will you allow simulated attacks or covert intrusions?
• What month will testing occur and why?

Scoping example: PCI

For the purposes of a PCI Report on compliance, you need to provide documented evidence (e.g., policies, procedures, and evidence) of controls. You will also need to have a Qualified Security Assessor (QSA) observe and test the controls/requirements that are in place. The QSA will meet with physical security control owners and operators to verify how individual controls are being met and will do this through interviews, observations, and testing. During a PCI audit, the scope of the test is a subset of the enterprise, not the whole enterprise. The scope of a PCI audit is any part of the network or physical locations that process, transmit, store, or can impact the security of the cardholder data environment— not the whole enterprise. PCI audits will not test bypasses to certain physical security controls if they are not in scope or may not evaluate all defense-in-depth measures which are meant to prevent data access. PCI audits involve testing and reviewing physical security controls. However, a PCI audit does not attempt to circumvent those controls, unlike a physical security audit. By attempting to bypass physical security controls, you can go one step further to demonstrate if physical security vulnerabilities can impact the protected data.

Note:
This is how FedRAMP approaches penetration testing.
Physical security Assessments help provide
an attacker’s point of view on operational soft
spots. Soft spots that, when exploited, can
be used to gain access to sensitive security
enclaves by bypassing controls and evaluating
defense-in-depth.

Ensuring an accurate scope for your organization

In short, the scope of each type of physical assessment will vary based on the organization’s unique risk profile, the maturity of its security program, and how it operates as a whole. In addition, if physical security has been previously tested, this will impact the approach an assessor will want to follow; it will likely also influence budget allocated to the test (thus impacting scope).

The scope of a physical security assessment typically involves a location(s) and the associated assets. A larger scope will always provide more value than compliance assessments or other audits that have a narrow and/or restrictive scopes.
Furthermore, a physical security assessment will help harden operational system and physical security as a whole, whereas other audits might only look at physical security as a sub-category of a control framework assessment.

If hardening physical security is a goal of a penetration test, you might see findings related to:

• External landscape and site design
• External features
• Building perimeter security (Examples can include:)
  • Building inventory – Points of entry & exit
  • Building analysis – External door access controls
  • Building analysis – Alternative points of entry
  • Building analysis – Methods of perimeter access control
  • Monitoring & alerting – External use of alarms, sensors, & IDS

• Security personnel
• Policies and procedures
• Internal layout and design (Examples can include:)
  • Building analysis – Main entrance vestibule & lobby
  • Building analysis – Methods of internal access control
  • Monitoring & alerting – Internal use of camera monitoring
  • Monitoring & alerting – Contraband search & detection
  • Monitoring & alerting – Internal use of alarms, sensors, & IDS

Below, you will find a checklist of sorts for a typical physical security assessment. It is not intended to be an exhaustive list of scoping considerations but should help you get started. Once a project is established, there are additional rules of engagement considerations that need to be thought through.

Physical security reaches beyond compliance

Traditionally, companies will test physical security as part of a compliance audit (e.g., SOC2) and will stop there. Organizations go through a variety of audits which might scratch the surface of a physical security assessment, but the intended purpose is not enhancing the resiliency of physical controls to prevent data and/or asset access/theft. As previously stated, meeting physical security compliance does not mean you are protected from threat actors targeting your assets.

Some examples of different audits that might touch upon physical security include PCI, VISA Physical, Occupational Health & Safety (OSHA), FedRAMP, CMMC, and HIPAA (to name a few). However, a distinct physical security assessment can help supplement many of compliance-based assessments. Unfortunately, today’s compliance frameworks remain ineffective and inadequate in addressing sophisticated or even
rudimentary threats. NIST, FISMA, SOC, and other compliance standards that mandate certain physical controls may keep out your standard pedestrian but do little-to-nothing against organized social engineering attacks, or even an adversary that knows how to bypass alarm systems. As a result, enhanced controls must be developed to mitigate attackers that are not bound by rules, time, or budget.

Physical security in regulatory frameworks

Several frameworks, standards, and regulations exist that have physical security components.

Cyber Security Maturity Model Certification. The Cybersecurity Maturity Model Certification Framework (CMMC) is the Department of Defense’s (DoD) response to growing threats. Physical security is one of 17 capability domains that has associated practices and processes across 5 levels of maturity.

FedRAMP. The Federal Risk and Authorization Management Program (FedRAMP) is a standard applicable to any cloud service provider (CSP) that is providing cloud services to the U.S. Federal Government. States and local governments are beginning to provide preference in procurement to solutions that are FedRAMP authorized. Physical security is a key area of FedRAMP and the physical environment is part of the required attack paths that need to be included during penetration testing. Note: FedRAMP is similar to CHECK.

CHECK. The IT Health Check Service, (CHECK), exists primarily for the benefit of Her Majesty’s Government (HMG) and UK Critical National Infrastructure (CNI) end users who wish to have their sensitive IT systems and networks checked for vulnerabilities. Companies belonging to CHECK are measured against high standards set by the UK Government’s National Technical Authority for Information Assurance (CESG). This scheme is designed for companies doing work in the UK and requires them to invite security experts to identify IT security weaknesses through practical expert testing by an independent and qualified third party.

PCI DSS. PCI DSS applies to any company that stores, process, or transmits credit card information. Requirement 9 specifically talks about physical security controls, however physical security is also referenced in other requirements, including Sections 8, 10 and 11

Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA applies to Covered Entities and Business Associates; these are companies that come into contact with electronic health information. HIPAA is broken into 3 types of safeguards: Administrative, Technical, and Physical. These safeguards are then further broken down into addressable and standard implementation specifications.

Health Information Trust Alliance (HITRUST) Framework v9.2. HITRUST is a security framework that maps to various regulatory factors (e.g., FedRAMP, FISMA, HIPAA, CMS, ISO 27001, NIST, FFIEC and more) and is based on levels of security maturity. The framework has 19 domain categories which are then broken out into control objectives and control specifications. Control specifications then map to control statements and control levels which number into the hundreds for a single assessment. One Domain includes Physical & Environmental Security as a control category. There is an additional category for Equipment Security, which includes things like security of off-premises equipment and secure disposal or re-use of equipment.

NERC Critical Infrastructure Protection (NERC-CIP). NERC CIP is a set of standards designed for the U.S. Bulk Electric Grid. The standards lay out of number of requirements, measures, and compliance monitoring specifications. Compliance monitoring includes compliance audits, self-certifications, and spot checking—all of which could be enhanced from a distinct physical security assessment to validate physical security controls and how they could be circumvented. Most compliance assessments want to see that you have developed a control but testing procedures for validating controls can be insufficient or non-existent. This means that validation can sometimes be limited to simply reviewing a policy and procedure, observing a sample of the control, and/or interviewing a control owner to confirm a control is in place. A physical security assessment can take that a step further to ensure that a control is operating as intended, meaningful protections against your threat profile are provided, and your organization understands how that control could be bypassed. This goes further than checking off a compliance requirement, and instead emulates a sophisticated adversary trying to access your assets.

For compliance purposes, organizations will want to demonstrate how they handle:

• Employee identification & verification
• Searching possessions & advanced screening
• Physical inspection & patrols
• General visitor greeting & handling
• Deliveries & special use visitor handling
• Information & logistics services
• Badge challenges & anti-tailgating precautions
• Security incident reporting

NCC Group performs physical security penetration tests for a wide variety of companies and industries. If you have sensitive assets protected by physical security controls, you should perform an annual security assessment to help validate controls and reduce risk.

Our team of experienced consultants can verify that your physical security controls are operating effectively but can also help identify if you have blind spots in your physical security program. Whether this is your first physical security assessment or if you’ve experienced one in the past, our team can guide you through an assessment to improve your resiliency.