Social Engineering v. Physical Security

We hear a lot about the risks of social engineering, and there are a host of articles recommending how to defend against unauthorized access to facilities and their network infrastructures.  However, keeping the wrong people out of your building and away from your critical systems requires following simple physical security controls.  It isn’t magic, nor is good physical security the result of following a simple set of platitudes.  The only adage which matters? If an attacker gains physical access to your systems or infrastructure, game over.  One of the ways attackers get access is via social engineering.

In an article posted to CSOonline, Joan Goodchild covers an interview with the host of the video series Scam School, Brian Brushwood.  Brushwood also happens to be a magician.  He is quoted in the article as equating social engineering to “…getting people to do what you want by using certain sociological principles.”  The article goes on to list nine “dirty tricks” and how to defend against them.  Although I agree in principle, employee awareness of these approaches relies heavily on correct human behavior.  But human behavior, usually the weakest link in any security method, is only a small part of an effective physical security strategy.

Physical security strategy design begins, as always, with a security assessment.  The first step in an assessment is understanding certain characteristics of the target facility or infrastructure, including:

1. Access controls currently in place


2. Parking and vehicle proximity controls


3. How the building is constructed, including:
   
   
   
   1. Doors
   
   
   2. Windows
   
   
   3. Walls
   
   
   4. Ceilings
   
   
   
   


4. Building operations
   
   
   
   1. Security processes
   
   
   2. Business processes
   
   
   3. Backup and primary power accessibility
   
   
   4. Sensitive areas within the facility
      
      
      
      1. Locked doors
         
         
         
         1. locking methods
         
         
         2. key or combination controls
         
         
         
         
      
      
      2. Whether it’s possible to observe individuals entering or working in sensitive areas
      
      
      
      
   
   
   5. Technology
      
      
      
      1. Where critical infrastructure is placed
      
      
      2. If and how critical infrastructure is secured
      
      
      
      
   
   
   
   


5. Facility perimeter
   
   
   
   1. Distance from the facility to the first barrier, assuming there is a barrier
   
   
   2. Human monitoring of entry, if any
   
   
   3. Sensor placement, if any
   
   
   4. Camera placement, if any
   
   
   5. Blind spots
   
   
   6. Purpose of barrier (i.e., simple reminder of property line or actual hindrance to property access)
   
   
   
   


6. Employee awareness
   
   
   
   1. Understanding of piggybacking and other methods of “courtesy” entry
   
   
   2. Awareness of social engineering and how it is used via phone or face-to-face interactions to gain access
   
   
   3. Assessment of how access controls support each other to hinder social engineering attempts 
   
   
   
   

Once a survey of existing controls and vulnerabilities is complete, compare the results with industry best practices commensurate with the assets you’re trying to protect.  In other words, physical security requirements for a Department of Defense research site are much different than those for a healthcare facility.  The gaps constitute your action plan.

Before executing against the action plan, assess the risk associated with each action item.  Compare the risk to the cost of implementation.  As with technology security, physical security control implementation is based on solid risk management.  If management accepts the risk, or if business impact is transferred in some way (i.e., insurance), then don’t implement the associated control.

I’m not saying the recommendations provided in the Goodchild article aren’t important.  The nine takeaways are things every employee should know.  However, too much reliance on users doing the right thing is never a good idea.  A large part of social engineering defense must be a set of interlocking, mutual supporting controls which help identify or thwart unauthorized access, even when assisted by unwary employees.