Open door? Game over.

Among security axioms, there is one which is often overlooked but whose affects are frequently present before, during, or after a breach; if an attacker gains physical access to your systems, game over.  But not everyone gets it, as demonstrated by the following story (partly based on an actual event, with names, company, etc. changed to protect the employed).

Henry was frustrated.  He'd tried everything he knew to crack the perimeter defenses of his target.  The IS security team must really have it together.  Henry was sure he could eventually get in, but the payment he was receiving for hacking into the target's network and extracting new product information wasn't enough for him to spend months finding the inevitable weak spot.  It was time for Plan B: gaining physical access to the company's network.

His target was a manufacturer, Widgets, Inc.  The target data consisted of documents, drawings, or anything else related to the revolutionary new widget the company was rumored to be bringing to market.  Henry believed his best chance of getting to this information was access to an engineering workstation during the workday.  So the next morning, dressed in business casual, he headed for the Widgets corporate office.

The first challenge was getting past the security desk.  According to signs posted in the halls leading to the elevators, no one was allowed access to the upper floors unless possessing a badge.  Visitors must sign in and accompany an escort to the appropriate floor.  There was no way to get to the elevators unless you passed by security. 

At first glance, this appeared to throw up a serious challenge.  However, as Henry watched from the lobby coffee shop, he noticed the security guard checking badges was more interested in side conversations.  As starting time approached, and the number of employees heading for elevators increased, a fewer percentage had their badges checked.  And when badges were checked, it was a distant, cursory check.  You could carry anything which looked like an access badge and still pass.

Henry decided to give it a shot.  After all, he could always tell the guard he had left his badge at home.  So Henry stepped up and got in the line of sleepy employees waiting for an elevator.  He slowly made his way to an open spot and selected floor four, the engineering department.  The elevator stopped, Henry stepped off and followed the crowd.  A locked door stood between the elevators and the office area.  The locking mechanism consisted of a breaker bar released when a badge was brought close to a wall mounted reader.  Everyone badged in, even if the door was still open from the previous employee's entrance.  It looked to Henry as if the engineers were more aware of security than the guards.  This might be a problem, since it appeared that an attempt at piggybacking might result in his being challenged.  A challenge wasn't so bad.  He could always come up with some excuse for not having his badge.  But he didn't want to be singled out at all.  It would make becoming "invisible" harder if he did make it onto the floor.

The lock didn't look like it could withstand the efforts of a serious practitioner of the black hat arts like Henry.  So he waited until everyone had entered the floor.  He then walked up to the door to examine the locking mechanism.  Henry  recorded the brand and model.  Finally he took a picture of it.  Pocketing this information, he road the elevator to the lobby, waved to the guards on his way out of the building, and went home to do some research.

A quick search of lock vendor Web sites resulted in discovery of the lock along with installation instructions.  According to the installation schematics, the breaker bar would sound a short alarm if pushed prior to a valid badge scan.  However, sliding a screwdriver or other tool between the bar and the mounting bracket would sound no alarms if carefully done.  This was important since the insertion of a flat metal object at the right location could feasibly result in enough damage to break the connection between the lock and the badge scanner.  The door would remain locked until the locking mechanism was disabled and repaired.  Based on everything Henry had seen at Widgets, this was all he needed to know.  A smile crept across his face as he headed to bed.  Tomorrow was going to be a big day, payday.

The following morning, Henry followed the previous routine.  His badge wasn't checked and he road the elevator up to the fourth floor without incident.  This time, however, he carried a tool, a CD containing some of his favorite software tools, and a blank DVD. 

Again, Henry waited until the elevator area was empty.  He stepped up to the breaker bar, found the right spot as shown in last night's schematics, and inserted the flat edge of his paint scraper between the breaker bar and the mounting bracket.  Carefully, he moved it down until it came in contact with what he knew were the wires connecting the lock to the scanner.  A quick strike on the top of the handle drove the sharpened scraper through at least one wire.  Henry knew this because the ready light on the lock turned amber.  According to vendor documentation, this indicated a lock fault.  The lock failed closed but, no alarm sounded.  This entire process took about 30 seconds.

Henry left the floor and made his way to the coffee shop.  It was now time to wait.  If he was right, the door would be unlocked until the damaged lock was repaired. 

After about an hour, Henry once again made his way (ignored by the guard who was reading the paper) back to the fourth floor.  As he approached the door, he saw it was propped open, the locking mechanism usually attached to the door was lying on the floor, and nobody was around.  This is what he had counted on.  It wasn't always this easy.  But the combination of inattentive guards, an easily identifiable lock type, and lax documentation protection by the lock vendor all came together to provide Henry with a plan for easy access.  He approached the door and walked into the engineering department like he belonged there.

All the engineers worked in cubicles.  In the first few work areas he passed, the engineer was either hard at work or absent but had locked his or her workstation.  But then he got lucky; he found a workstation unattended and still unlocked.  Widgets probably had a password-protected screensaver which timed out after several minutes.  No one paid any attention as Henry entered the cubicle, opened the CD drive, and inserted his software tools.

It isn't necessary to go into details about what Henry did on the fourth floor of Widgets, Inc.  However, you should know he was paid that evening for providing his customer with everything needed to quickly follow Widgets, Inc to market with the new product.   

The moral of this story?  All the technical security controls in the world will not protect your business from an attacker who gains physical access to your network.  Even if Henry hadn't found an unlocked workstation, his software toolkit contained everything he needed to crack into a locked workstation if he was sitting in front of it.  And if an engineer who didn't know him walked by, Henry was ready with a good cover story about being a consultant helping on the new widget project.  The cover story would probably have worked just fine, because:

1. Henry was already on a secure floor;
2. Henry was working on a supposedly secure workstation; and
3. Many organization's don't properly train their employees to react to possible social engineering situations