Front Heavy Security & Why It’s Dangerous
In nearly every office building, whether it is a corporation, government facility, research center or small business, the lobby or main entrance will have the heaviest security. This is to be expected, as this is where people are expected to enter and exit and constitutes the bulk of public traffic. By contrast, as you approach areas with less public traffic, such as a parking garage or rear entrance, the security tends to decrease. And once inside the facility, beyond the initial security check points, nearly all security is gone, due to a perceived level of trust.
If you have gotten this far, you must be approved to be here.
This trend of higher security proportional to higher trafficked entrances and a perceived trust of anyone who has made it beyond the initial security check points, is the essence of front heavy security.
The savvy attacker will likely attempt entry into a building away from the most trafficked entry point, obviously because this is where security is the highest and the probability of getting caught is most likely. That said, it can sometimes also be the best location to enter if an attacker has:
Cloned or stolen an active ID badge
Entry barriers are not single person use (means more than one person can enter at a time)
Security barriers are easy to bypass & security personnel are complacent
etc
That said, the disparity of security from the front and rear entrance of a building can often be so great, that attempting any of the above is unwise, even if they have a chance at success. I have seen front entrances to government offices, where the front entrance has armed guards, with a single use turn style requiring an unclonable RFID badge and a biometric scanner to get beyond the lobby, while the parking garage stairwell door was left unlocked.
Yes, you could attempt to sneak in through the front, but when the rear security is so appalling, why would you risk it?
This gets me to the most dangerous aspect of front heavy security, which is the presumption that anyone who has gotten beyond the entry points of a building must have authorization to be there. This makes nearly the entire employee staff your unknowing accomplices by helping you to blend into the crowd of the building, which by sheer numbers ensures that there are always legitimate employees that are unknown to other employees. Because employees are human, they will do certain things that make your life as an attacker easier, such as:
Leaving laptops & equipment unlocked
Leaving ID badges & keys unsupervised on their desks
Leaving sensitive documents laying about
etc
In fact, I often use employees to privilege escalate by stealing or cloning badges, to gain access to areas of a building I previously didn’t have after my initial entry into the building. And because of the level of trust imposed on everyone within the building, its trivial to gain access to sensitive areas by either capitalizing on a say a secretaries lack of awareness or a little smooth talking your way into places like board rooms where you can then steal documents or plant various listening devices for some corporate espionage.
You may think that an ID badge is required once inside a building, but the sad truth is that 99% of the time, once inside, nobody cares about your ID badge, and in the rare event that it is required a simple lie of “I left it at my desk”, or even showing them a completely different ID badge and saying you’re a consultant here to do XYZ in their office, is often all that is needed to proceed.
Once inside a building an attacker generally has free rein to move about the building and do whatever they like, which typically consists of
Stealing or cloning sensitive documents
planting various man in the middle devices
planing listening devices in specific rooms
stealing or cloning ID badges or physical keys
etc
Once inside, a good attacker can accomplish everything in the list above in a matter of a few hours and then leave the building. If the attacker has a specific task to perform, such as bugging a corporate board room, or stealing a specific file, a good attacker can often be in and out in a matter of minutes.
While some devices such as laptops can detect man in the middle devices (or at least attempt to), other devices as TVs simply don’t. How often do you look beyond a TV, especially in an office to check if there are any nefarious devices plugged in? You don’t, and this is what an attacker will capitalize on.
The above device will intercept a TV display and transmit it wirelessly (pen added for scale), which is nearly never discovered because most people never look behind TVs or even work stations for such devices.
I have put together a series of such interception devices, that will be picked up by a raspberry pi that will then transmit that data over the cell network to a command and control server I own. Therefore, after an attacker has bugged a building and left, the devices will passively transmit sensitive information from work stations, TVs, board rooms, etc all over the cell network, which is important because the victim’s security will not be able to see this traffic leaving their premises, to me, which I can access from anywhere in the world. And until these tiny devices are discovered, I will have a continuous stream of valuable information and data from the victim.
Returning to the point of this article, and the dangers of front heavy security, I hope that the reader is now more aware that if an attacker manages to breach a buildings security, the only thing preventing said attacker from completely compromising everything within the building are the employees.
They are your eyes and ears within the building, they are your only real defense of any attacker who has gained entry and therefore, their security awareness and training need to be treated just as vitally as your actual security services.
A building may have spent thousands or even hundreds of thousands of dollars on their main entrance security, but a savvy attacker may notice that rear entrance that employees use for smoke breaks or to go to their cars that has nearly no security at all, and this is exactly where an attacker will choose to get in.
The take away message of this article should be that if your employees are untrained and complacent in security, than your entire security consists of the easiest method of entry into your building and nothing more.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.