Hackers can get into your office using something as simple as a felt-tip pen.
Hacking isn't always digital; it can be physical, too. Your company could be attacked via a USB stick dropped in the lobby, a fake inspector, or even a felt-tip pen.
NCC Group's penetration testing team used what it calls the "felt-tip exploit" to access a client's offices. “The building was secured by a PIN pad system to restrict unauthorised entry,” explains Daniel Farrie, senior security consultant at the group.
“By subtly marking each PIN key with a felt-tip pen, it was possible to return after office hours and assess which numbers had been disturbed… as attackers, we had unfettered access to some very sensitive information,” he explains.
Tom Roberts also sneaks into buildings for his work, as a security consultant at Pen Test Partners. Once inside, Mr Roberts needs little more than a friendly smile and professional demeanour to breach security.
He will spot filing cabinets left open, a laptop that’s unattended and unlocked, or a data room propped open, because no-one can remember the door code.
“These small things may, on the face of it, all seem a trifle,” he says. “The problem is that small things are all it takes for a criminal or hacker to take something small that can make a big difference.”
Such in-person attacks are perhaps more common in films than at your average small or medium-sized enterprise (SME); most physical security breaches are simple errors: lost laptops or files left on trains are more likely, notes Gemma Moore, director at information security tester, Cyberis.
While those are the most frequent source of physical leaks, it’s tough to know how common targeted physical breaches are, because they’re often not detected by the victims.
Physical attacks tend to be targeted, Ms Moore adds. While casual criminals may sneak into your office to nick a laptop, that’s normally to sell the asset, rather than to steal the data.
But once inside, intruders can install keyloggers on computers, deploy remote-access network devices, or run malware, explains Mr Farrie. “Each tactic is designed to provide a criminal with remote access to the network, or the corporate passwords that can be used to gain that level of access.”
And gaining access to offices is normally easy, Ms Moore explains, calling it the “high vis” effect; if you wear official clothing, such as a high-vis jacket, you’re unlikely to be challenged.
Think of all the people who legitimately enter your workplace. Health-and-safety auditors, cleaners, inspectors, suppliers, and candidates coming in for interview could all be used as cover stories. “Gaining access does not necessitate an out-of-hours break-in,” she says.
When Cyberis is testing a client’s physical security, the firm will often pretend to be a portable appliance tester (PAT) inspector, as that not only offers access, but gives an excuse to interact with equipment such as workstations and network switches.
They were once so successful that one fake PAT inspector testing a client was offered a cup of tea in the staff kitchen after spending hours accessing unlocked workstations.
Another tactic to gain physical access is what’s called “tailgating”, says Ms Moore. “Even for businesses with card-based access control on all doors, we’re still regularly able to follow authorised personnel into restricted areas,” she explains. “There’s a great degree of social pressure on individuals to be polite, and closing a door in someone’s face is plain rude, so many people can’t bring themselves to do it.”
Once inside, attacks can take myriad forms, including accessing PCs using passwords left on post-it notes, or leaving USB sticks around.
Mr Farrie says that his favourite “low-tech” attack is phishing posters.
“They will likely promote a website that's under my control and encourage employees to log in with their corporate network credentials. A well-designed poster situated in the canteen suggests that it has been authorised and can be trusted," he explains.
"After that, achieving administrator-level access for the whole network can often just be a matter of time."
So what can SMEs do to avoid such physical attacks on their digital assets? On the IT side, they should monitor their internal networks for strange behaviour, rather than depend entirely on digital protective measures to keep hackers out.
But, as ever, employee education is the answer. “It’s difficult to defend against these attacks, as social norms tend to help attackers in these cases," says Ms Moore. “Employees must be willing to challenge visitors if they seem suspicious, and must have escalation routes that they can use if concerned about strangers in the office.”
Mr Roberts advises staff to be “polite but firm” when dealing with unknown visitors. “Anyone who’s valid will gladly accede to your request, and customers would even value the fact that you have a security policy if they wander away and are asked to return to the public zones,” he says.