Physical Assessments: Ways to Break into Companies – and to Prevent It

A secutorial by IT security consultant Christian Dölling from the SySS red team

A physical assessment is an examination of the physical security of a company site and aims at gaining access to company premises. In a second step, a specific goal set by the client is usually to be achieved, such as stealing a laptop, gaining access to the server room, entering the premises of the research department, etc. So the initial question is: Can a red team – and thus potential attackers – break into a building? And if so, what conditions have made this possible and how can such an intrusion be prevented?

TYPICAL GATEWAYS TO OVERCOME BUILDING SECURITY

Entry gates that are typically used to overcome building security are a lack of awareness, missing security measures, and security that is not practiced.

A lack of awareness includes:

  • Option for tailgating/piggybacking: An attacker enters the company/office space at the same time as or shortly after an employee through the same door – with or without their knowledge.
  • Excessive willingness to help: The attacker's door is held open because they are carrying something heavy in their hands, for example – or the door is opened out of pure courtesy.
  • Leaving unauthorized persons on their own: An attacker asks to enter the premises under false pretences. There they are (temporarily) left alone unattended.
  • Good faith: An aggressor pretends to be an authorized person, employees believe them and let them go without verification.
  • A lack of awareness on the part of third parties (e.g. craftspeople working in the company) can also endanger safety.

A lack of safety measures includes:

  • The complete lack of safety measures
  • Turnstiles that are only waist-high and can be easily overcome
  • Smoker entrances without special security
  • Susceptibility to the so-called “under-the-door tool”
  • Cheap locks that are particularly susceptible to lock picking

Not practiced safety means:

  • Employees use the visitor entrance for convenience because they would have to show their IDs at the employee entrance. As a result, the front desk no longer checks people entering strictly enough or not at all, because it has become a habit for employees to enter the building through the visitor entrance.
  • The concept that all employees on company premises must wear an employee ID and every guest must wear a guest pass is not implemented. That is why attackers without an ID do not stand out negatively.
  • Reception generally does not check any incoming persons.

BEST PRACTICES FOR INCREASING BUILDING SECURITY

To increase the physical security of company premises and make an intrusion as difficult as possible for attackers, the following best practices are recommended:

  • Both regular awareness training and testing of employees and also of external service providers
  • Floor-to-ceiling single passage control systems at all entrances
  • Visitors should only be allowed to move around the company premises with a guest pass and/or when accompanied by an employee.
  • Employees should always wear their ID visibly on company premises. However, it should not be worn visibly outside the company premises to make imitations more difficult.
  • Installation of locks with a high security level
  • Practicing safety in the company: no neglect of security requirements for one’s own convenience and regular review of the corporate culture against this background

If you want to have your building security tested or are considering awareness training for your employees, we are happy to give you advice.

You can reach us at any time at anfrage(at)syss.de.

DO NOT HESITATE TO GET IN TOUCH +49 (0)7071 - 40 78 56-0 or anfrage@syss.de | OUTSIDE REGULAR OFFICE Hours CALL +49 (0)7071 - 40 78 56-99

As a framework contract customer please dial the provided on-call service number

DO NOT HESITATE TO GET IN TOUCH +49 (0)7071 - 40 78 56-0 or anfrage@syss.de

OUTSIDE REGULAR OFFICE Hours CALL +49 (0)7071 - 40 78 56-99

As a framework contract customer please dial the provided on-call service number

GET IN TOUCH

+49 (0)7071 - 40 78 56-0 or anfrage@syss.de

OUTSIDE REGULAR OFFICE Hours

+49 (0)7071 - 40 78 56-99

As a framework contract customer please dial the provided on-call service number