Unlike controls that rely on deterrence, physical access controls are designed to directly impede the progress of an intruder. Such mechanisms include:
• gates or barriers;
• mantraps;
• turnstiles;
• locked doors;
• motion detectors.
None of these controls are foolproof and an imaginative tester can usually find a way around them.
MECHANISMS OF PHYSICAL SECURITY 47
Bypassing a Gate or Barrier
On a lot of sites that employ proximity badge systems, the gate or barrier that grants access from the main hall into the rest of the building is not a real physical control. It is possible to circumnavigate by vaulting over it or going around it. The only things to prevent you doing this are:
• Staff members – If staff see you jumping over the barrier they are likely to comment on it. There is no real way around this other than to ensure that they don’t see you. If you are in the unfortunate position of considering this approach make sure it’s not during peak times – first thing in the morning, last thing in the afternoon, or at lunch time.
• Security guards or reception – These people can be distracted by fellow testers. The sorts of distractions you employ are limited only by your imagination but may include anything from simple enquiries to faking a heart attack. On virtually all sites, guards give precedence to the health and safety of staff and visitors over guarding a post.
• Cameras – Most cameras won’t be pointing at the barrier itself but at the doorways into reception and sometimes at an area beyond it, such as among the lifts.
Breaching border security by vaulting barriers in a public area should be an absolute last resort. You’re likely to get caught and look very stupid indeed. There is always a better, more intelligent approach; you just haven’t found it yet.
Working Around a Mantrap
A mantrap is an airlock-like form of access control found in high security sites and is driven solely via proximity badges. When you swipe your badge, the first door opens, you enter and it shuts behind you. Only then does the second door open and permit your entry. The process is repeated when you exit. To further complicate things, the floor of the mantrap is a pressure sensor that measures weight and weight distribution in order to detect the presence of more than one person. In some environments, your body weight when leaving is compared to that on entering. Any significant variance triggers an alarm; this also acts as crude anti-theft detection. Obviously, such devices make tailgating attacks impossible.
A mantrap can be an intimidating obstacle to a tester (and, indeed, employees in general) but that’s the whole point. It is a very visible indication of physical security and is designed to project an image that such things are taken very seriously here. However, like all images they’re largely just for show.
48 EXECUTING TESTS
When you walk into a company reception, you see what the company wants you to see. A mantrap impresses visitors and acts as a deterrent to an intruder. However, their use creates certain problems. The small area inside the mantrap will permit an individual to enter but not much else.
A business (particularly a large business) requires much more than simply people to function: it also needs desks, chairs, computers, water for the coolers, and so on. These things don’t go through a mantrap.
Generally, you have two options when bypassing such obstacles; either find the delivery entrance (which will be safely free of mantraps) and penetrate there or show up at reception with a delivery, at which point reception will let you through alternative doors (sometimes found to the side of the mantrap) or point you in the direction of the delivery entrance.
Another point to bear in mind: access through a mantrap is slow. It can take around 20 seconds for just one person to pass through it, either in or out. In an emergency situation, this is completely unacceptable, so certain events such as a fire alarm automatically cause both doors to open to permit swift evacuation. Don’t be intimidated by flashy border controls and remember, security is only as strong as the weakest link in the chain. It’s your job to find the weakest link.
Gaining Access Through a Turnstile
Turnstiles are a common sight at high-security facilities, usually outside, at the border of the site. Like a mantrap, a turnstile is designed to permit access to one person at a time and is not obviously easy to bypass. They provide you with exactly the same problems as mantraps. You can usually avoid a turnstile by driving (or walking) into the car park, where staff and visitor access controls are likely to be internal. Other means of ingress certainly exist. This is why you do preliminary research (see Chapter 6).
Breaching a Locked Door
Many of the things we unquestionably rely upon for security are easy to compromise with a little knowledge and thought. Nowhere is this truer than with locks. By locks, I’m not talking about electronic proximity systems but traditional devices that open with cut keys. Because some tests are inevitably going to include an element of lock picking, Chapter 5 is as broad and thorough a look at lock picking as I can make it. The sort of locks that one can reasonably expect to encounter won’t (in most cases) be high security. Targets of lock picking during a physical test include:
• padlocks on dumpsters or side doors;
MECHANISMS OF PHYSICAL SECURITY 49
• locks on filing cabinets and desk drawers;
• locks on office doors (in places where staff routinely lock them when at lunch or leaving for the day).
In most cases, these locks can be bypassed with only a little prior knowledge and practice.
Bypassing a Motion Detector
Motion detectors are not utilized during office hours except in high-security areas and even then only at high-security sites. Such devices are therefore only of concern if you are conducting a night-time penetration of a smaller facility (larger sites have 24-hour security).
They tend to be activated by a central alarm system when business is concluded.
One advantage to knowing in advance that the site is alarmed and equipped with motion sensors is that it means you’ll be the only person there. The downside to this is bypassing the sensors themselves. This may, however, be achieved in the following ways:
• Some sensors have a bypass button on the bottom. If you are able to reach the sensor without triggering it you can disable it this way. This is sometimes possible when sensor location is poor. A particularly poor location is at the top of stairs where it’s often possible to crawl up them underneath the sensor’s line of sight. Another example is above a door, where the door swings outwards. If a bypass switch is not present, you can (very slowly) attempt to cover the sensor with sticky tack or a similar substance.
• Motion sensors sense motion: move slowly! These devices are usually not as sensitive as you would imagine. I’ve seen sensitivity turned down for some odd reasons. For example, a sensor was pointing at a window with a tree outside it. The tree would sway in the wind and trigger the alarm. Clearly, placement of the sensor was the problem, given that the tree and window combination turned out to be very useful.
• Knowing the alarm code in advance is very useful. The number of people within the company that have access to this information directly impacts your chances with a social engineering attack, but this is the most elegant solution.
• If you trigger enough alarms over the course of an evening, it will look like an equipment malfunction and eventually the alarm system will be disabled for the night. Once this occurs, wait a couple of hours before attempting entry. The companies that respond to these alarms are not stupid.
50 EXECUTING TESTS
• You can disable some sensors by cutting off power to the building;
some have a battery backup. Either way it is rarely feasible to find out.
• Sensors that use infra-red (IR) light can be detected with the right equipment, such as a handheld camcorder in night vision mode.
• Sensors that use radio frequency (RF) have a longer tracking range and work in the same way as speed cameras (on the Doppler or radar principle). Detecting these sensors is not easy (you need to know what frequencies to scan for), but it can be done from further away than IR sensors and they don’t require line of sight.
Summary
We’ve covered a lot of core material in this chapter. The skills sets discussed are absolutely critical to a true understanding of the nature of physical penetration testing and its execution. You should now have a grasp of the following:
• Practical physical security testing – The paradigms or approaches an operating team can take in order to complete their assignment.
• Site exploration – The assets you may need to acquire.
• Tactical approaches – The techniques that one can deploy at a tactical level to gain access to a facility.
• Badge security – The technical measures and psychological ap-proaches that can be adopted to mitigate badge and pass security.
• Security mechanisms – These can be physical preventative controls or merely a deterrent. You should have a good idea of their strengths and weaknesses.
This is an important chapter. After reading Chapter 4, which concerns the theory and practice of social engineering, you may wish to come back and read it again in order to apply what you have learned there.