Physical access to an organization's secure areas, equipment, or materials containing sensitive data may make it easier for a malicious insider to commit a crime. Therefore, an organization's physical security controls are often just as important as its technical security controls. This entry reviews some real case examples of physical security issues as well as some physical security controls.
In our case repository of incidents of malicious insider activity, including crimes of IT sabotage, theft of intellectual property, and fraud, about 8% involve physical security issues of concern. The case summaries below outline a few of these cases that we've analyzed.
For more than a year, a contract janitor stole customer account and personally identifiable information from hard-copy documents at a major U.S. bank. The janitor and two co-conspirators used this information to steal the identities of more than 250 people. They were able to open credit cards and then submit online change-of-address requests so the victims would not receive bank statements or other notifications of fraudulent activity. The insiders drained customers' accounts, and the loss to the organization exceeded $200,000.
A contract programmer tricked a janitor into unlocking another employee's office after hours. He switched the door's name plate and requested that the janitor let him into "his" office. The programmer, who had already obtained employment with a competitor, was able to download sensitive source code onto removable media.
A hospital security guard accessed and stole personally identifiable information regarding the organization's patients. The guard and three co-conspirators opened fraudulent cell phone plans and credit card accounts. As part of the scheme, they changed the account addresses of the victims so the bills would never reach the account owners. After being caught, the insider was ordered to pay $18,000 for the crime.
A communications director showed an expired ID badge to a security guard to gain unauthorized access to a data backup facility. Once inside, the director unplugged security cameras and stole backup tapes containing records for up to 80,000 employees.
A contract security guard used a key to obtain physical access to a hospital's heating, ventilating, and air conditioning (HVAC) computer and another workstation. The guard used password-cracking software to obtain access and install malicious software on the machines. The incident could have affected temperature-sensitive patients, drugs, and supplies.
An insider stole an organization's trade-secret drawings that were marked for destruction and sold them to a competing organization. The victim organization estimated its losses at $100 million. The competing organization that received the stolen documents was forced to declare bankruptcy after a lawsuit.
We have also observed the following physical security issues in the case data:
Infiltration/exfiltration of physical property: activities such as bringing removable media in and out of a facility
Improper termination of an employee's physical access or access badge
Unauthorized access to facility: employees entering facilities during unusual hours or unauthorized employees walking through an open door behind an authorized employee (known as "piggybacking")
Generally poor physical security: general issues such as insufficient guard oversight or insufficient separation of duties for physical access controls
Employee used an unauthorized workstation: employees who are able to physically enter another employee's office/workspace and access their workstation
Breaking and entering/physical destruction: employees breaking into secure spaces or stealing physical equipment
Janitorial staff issues: janitorial staff who steal sensitive information or are socially engineered into violating physical security
Improper disposal or destruction of organization information
Stronger physical security controls, such as physical security training or better background checks, might have prevented some of these attacks. Physical security controls include preventing unauthorized physical access to secure areas as well as preventing outright physical theft. Insider threats to physical security can come from current or former employees, contractors, and trusted business partners, including custodial staff and security guards. Individuals with broad access need to be thoroughly vetted. For example, custodial staff and security guards should undergo the same background check as other insiders. Employees with such access should also have routine security awareness training because their positions make them prime targets for social engineering attacks.
When I attend trainings, conferences, or briefings, I usually end up listening to someone reading slides about a problem. Rarely am I provided with any solutions or actions to remediate the problem. As a cybersecurity trainer with 17+ years of experience and a degree in education, I understand that developing a good presentation is a challenge in any domain. Fortunately for cybersecurity professionals, the National Institute of Standards and Technology (NIST) can help you choose which kind of presentation to give. This blog post will review the three types of presentations defined by NIST: awareness, training, and education.