A case for physical security as a software company

  • Post by Maxime Cote
  • Feb 29, 2020

Let’s try something here for a minute—a small scenario of a “typical” day at the office. You just arrived at your workplace, get out of your car, walks in the building. You get in by the front door like usual, and you say hi to the security guard. He nods back at you in acknowledgment, then you press the elevator button, wait a bit, then one elevator dings. You see, someone is already in the elevator with a company shirt and a paper pad. He also nods at you say hi. You nod back, and he goes back to taking notes. You’re unsure what he’s doing, but he motions to the floor buttons when he sees you’re waiting. You press your floor button and use your access key to make the elevator go up. The guy seems intent on taking various notes on his pad as the floors go by, not minding you, so you don’t mind him back. When you finally arrive on the floor, the doors open, and he tells you to have a good day. You enter the server rooms with your key and wonder who that person was. Most likely, an elevator technician doing some maintenance. You keep going in the room, sit at your desk, and start your day.


Ok, let’s stop here for a moment. Let’s rewind and think about it for a moment to see what happened here. Multiple scenarios could have played out here. You could have had your RFID card cloned in that elevator; you also gave him information on your schedule and where the server room is located. You also just gave him a free ride to the locked floor you were going to. But who was that person? The elevator technician is a favorite for some physical penetration tester, like Deviant Ollam and his team. Most people won’t ask questions as to why there’s a person in the elevator for so long and taking notes. Then they can go ahead and gather all sorts of information and intelligence in the building. Once it’s done, with the knowledge, they can casually get in and out without people noticing. Or hopefully, they will get caught in the act and stopped by the security personnel.

Why it matters

Many of us know a lot about software and network security and how to secure digital information. How to build multiple layers between intruders and the things they’re trying to reach. That’s basic defense-in-depth, and it works pretty well, depending on how you implement it. But what about physical security? The firewalls and various digital layers won’t matter much if the person can casually enter in, reach the server room, and connect directly into it.

As more and more company moves to the cloud, the responsibility of servers is shifting to third-party providers like Amazon, Google, and Microsoft. But there are still dangers in not having any physical security. You most likely have computers that connect to those servers, sometimes with credentials left in them. Once someone has physical access to a computer, it’s usually game over, and they’ve won.

Now, the idea here is not to go out and start to be suspicious of every single elevator technician. Just having some awareness and countermeasures in place could be enough. There’s a lot of things going on with physical security as it’s a full-time job. That doesn’t mean you should shrug it off and say it’s for others to look over. That is especially true in a small business where you’re the one in charge of securing all its information.

For one thing, you can start to look at the current state of your physical security. Things like: how are the doors locked, what are the office entrances? Is there a guard? Are there rooms that need more protection, etc. There are most likely some things that could be reasonably easy or inexpensive to change, and that would increase the security significantly. Better locks, security cameras, doors sensors are usually relatively inexpensive to start with. An easy way to get more examples and ideas is to look at some presentations given by red teams who do physical security. How do they get in and what are they using, they might not lay out all their secrets, but you have something to start from.

Threat model

The last thing to keep in mind, though, is your threat model for the company and your budget. It might not be worth the hassle to the employee to have super high tech fingerprint reader lock everywhere. Especially if people bypass it or try to get around because it’s “too much of a pain.” As with everything in security, you have to balance convenience and ease of use with protection. Better lockpick proof locks that only require a new key that might be a better idea than those fingerprint locks. Another way you can go about it is to put in place various processes with the employee. Things like always locking their computer as soon as they go away from it. Keeping doors locked unless they’re in the room. Looking out for people that look suspicious. Even small things like that is already a lot better than not doing anything. Will it stop professional people that do that for a living? Maybe not, but it might prevent a lot of problems.

As a final word, the idea is to stay aware of both physical and digital security, even for small offices and companies. Just keep it at the back of your mind as you plan your threat model and think about various scenarios. Start to plan some process and change to block the most oblivious physical gap you have. It might not be as complicated or hard as you expect if you look at the options out there today. Give intruders a harder time to get in since if they do, it might be game over, and you don’t want that.