Have you ever showed up to your workplace and noticed someone new in a faraway corner cube diligently working with implanted earbuds and their eyes fixated forward on their workstation? What goes through your mind? Are they a new intern feverishly working to learn the ropes at their new job? Or are they perhaps a temporary contractor brought in to work on a big project that was pushing up against a deadline? Would you break their intense concentration just to introduce yourself? Chances are you would probably start your day as normal and rationalize they are supposed to be there. You might even instant message a co-worker later in the day about the new person that was hired to finally reduce some of your workload. By that time, it will probably be too late, and the suspicious person would have already accomplished their job.
Too often, employees assume that if someone is already in a restricted space, like a cube farm, they are approved to be there. At that point, you may be even approached by the “new employee” at the water cooler and give away sensitive details about a project your working on just because you want to be liked by the new project member.
Physical security concerns need to be addressed as well when you look at the vulnerabilities to your IT systems. The defense in depth strategy doesn’t always need to be referenced in your technical defenses like your network and workstations. Just because your office area requires a key, or a badge access RFID lock doesn’t necessarily mean those protections can’t be bypassed. I’ve bypassed secured doors in seconds with a $7 piece of metal picked up at the local hardware store. A layered defense against social engineering can be deployed through your employees as well. Locks can be bypassed; RFID cards can be duplicated, and attackers can manipulate your empathetic nature.
“Trust but verify” is often a term thrown around in the security community. I’m not saying your employees should turn to ice and see every employee in the office or caller on the phone as a legitimate threat. However, you should work with your employees to feel comfortable with knowing how and when to report suspicious characters or strange phone calls. They should feel empowered to approach unknown people wandering around the workspace floor and introduce themselves while they find out a little more about why that individual might be there. You should encourage wearing identification badges but, make sure they don’t solely rely on that badge as a mark of a legitimate employee. Teach them about why locking workstations when they leave is so important as well as the dangers that bad actors could employ once they’ve convinced you of their legitimacy. Teach them “Trust, but verify” and your employees can be a wonderful addition to your defense in depth strategy.
To learn more about how TechGuard Security can test your employees on social engineering read our white paper.
Check out our other blogs on Physical Security:
Written by Grant Codak
Grant has nine years of IT experience spanning a variety of domains with a focus in defensive security. Grant is currently a Cybersecurity Consultant at TechGuard Security where he performs a wide variety of proactive security services, including penetration testing. He also holds the following certifications: CISSP, CEH, Security+, Network+, A+, and Metasploit Pro Certified Specialist. Recent responsibilities include, a Senior Web Security Engineer at a Fortune 50 organization along with a variety of application administration roles in security operations. His past project work includes, web tool development as well as firewall and web proxy migrations. Currently at TechGuard Security, Grant conducts audit control assessments, penetration tests, vulnerability assessments and social engineering exercises. Grant ties his knowledge together with his deep understanding of network operations and security architecture to deliver approachable report analysis to clients. Grant is also a nature enthusiast and enjoys mountain biking, hiking and kayaking with his wife.