How hybrid working is turning the physical workplace into a target
Facing an onslaught of cyber-attacks originating from social engineering is now par for the course for many security professionals. However, a growing but often overlooked issue is how this technique is being manipulated to help gain entry to physical offices and workplaces to perpetrate cybercrime.
Very similar to social engineering in the digital world, cybercriminals are relying on human vulnerabilities to trick individuals into allowing them entry to premises. Referred to as physical social engineering (PSE), this form of deception exploits typical behaviors and emotions with the goal of obtaining security credentials to give attackers access to confidential data and sensitive information held on computer systems.
Typical PSE techniques
To achieve their endgame, attackers have devised a range of strategies to dupe unsuspecting staff and get around lax security measures. They may pretend to be a trustworthy individual such as an employee, contractor, supplier, or delivery person to gain initial access into a building and then con their way into restricted areas. A common technique, known as tailgating, is simply following legitimate personnel into premises or secure areas. Genuine employees are either reluctant to challenge the identity of an intruder or just don’t notice what is happening. Another way in is by making up a plausible scenario or sob story and perhaps targeting temporary or contract staff to obtain the relevant security passes.
Although many of the methods are quite basic ruses, most people instinctively want to help others and, for example, will open doors to help someone masquerading as a delivery driver carrying a heavy box, or saying they are in a hurry because they might get a parking fine. Unfortunately, the ramifications can be highly damaging, including theft of personal and financial data and intellectual property.
Yet another surprisingly successful tactic used by malicious actors to install ransomware is to place an infected USB in a well-frequented area, like a hot-desking space, then wait for someone to unleash the malware. Incredibly, 45 percent of people who find a dropped USB will plug it in according to an experiment carried out by Google, and the fastest time from planting one to it being plugged in was a mere six minutes.
Exploiting today’s work culture
But it’s not only human nature that criminals are skilled at exploiting -- it’s also today’s new ways of working. The shift to hybrid patterns has introduced different workplace dynamics, making physical social engineering easier to perpetrate compared to in the past. In a traditional office environment, security protocols and access controls are generally more consistent and robust, and workers are used to adhering to them on a daily basis. In hybrid and remote work setups, however, employees have far fewer face-to-face interactions, making it relatively simple for attackers to impersonate co-workers or vendors unless verification controls are stringently applied. If employees are seldom physically present in the office, it is much more challenging for security personnel to visually confirm identities and detect suspicious individuals. Threat actors take advantage of these weaknesses and will diligently carry out reconnaissance before executing attack plans, surveying the target location, and making repeat visits to be perceived as a familiar, friendly face.
Mitigating PSE risks
Adapting security programs to incorporate PSE threats and hybrid ways of working requires changes to penetration testing routines and revised training for employees. Raising awareness internally is key to ensuring that employees are alert to the different tactics used by attackers to gain their trust. Holding training sessions with real-world examples can help to get staff invested in staying vigilant, as is informing managers or security personnel if they are suspicious about unfamiliar faces or unusual behavior in the workplace.
Additionally, everyone working in an office environment should comply with a clean desk policy as this requires little additional effort but is an effective way of preventing an unauthorized person from getting easy access to sensitive data. The dangers of writing down or printing confidential information, including passwords or access codes, must be minimized. Password security should form part of employee onboarding, covering the importance of creating strong, unique passwords, keeping them secure and never sharing them with others, including colleagues. Plus, there should be a company process for disposing of confidential information or any paperwork that might benefit potential threat actors if left unattended or discarded carelessly in wastepaper baskets and bins.
Ideally, organizations should employ technology such as identity cards and biometrics to ensure that only authorized personnel can access specific areas, with additional supervision by security personnel for areas holding particularly sensitive information.
To ensure that all these measures are having the desired impact, it’s important to carry out red team exercises, preferably using a specialist third party, to simulate attempts to sidestep both digital and physical security systems. This will help to uncover weak spots and security gaps which may be missed by internal reviews.
Developing a strong and all-encompassing workplace security culture is a shared responsibility. Coordinating strategies across all departments, in collaboration with IT and security teams, will make PSE far harder to execute and will help prevent criminals from using it as another way of fueling their cyber-attacks.
Image credit: vova130555/depositphotos.com
Andy Swift is Cyber Security Assurance Technical Director, Six Degrees.