When Clients Say There Is No Point

"Yes, we know you can probably get inside our offices, but there isn’t anything we could do to prevent it."

This is one of the most common pushbacks physical pentesters face when talking to clients. Many companies assume that gaining unauthorized access to their office is inevitable. While it’s true that no system is entirely foolproof, the idea that nothing can be done to slow or prevent intrusions is misguided.

There are proactive measures that companies can implement to significantly reduce their risks and make physical security breaches much harder to execute.

The second issue most companies will focus on is, “We haven’t ever been breached, so there clearly isn’t a realist danger.”

This too, is a huge mistake that I see all time and in this post I will be addressing both of these issues and how you as a pentester can combat them. But before we do, I need to explain a few concepts.

Front-Heavy Security: A Proactive Approach

The concept of front-heavy security has two components, first it emphasizes concentrating the most robust defense mechanisms at the outermost layers of a facility. This means reinforcing access points such as main doors, windows, and external barriers.

The idea is simple: intruders are our only real threat and therefore, all security should be on the perimeter of our building, ideally at choke points where we expect people to enter.

Second, anyone who has gained access beyond these exterior security points must be authorized to be within the building … how else could they have gotten this far inside?

Hopefully, readers of this blog will immediately see the error of this thought process, and very likely know dozens of businesses that operate with front heavy security in mind.

Often, clients do not realize this is actually the security setup that they have, because they have followed all the compliance guidelines that a well meaning, but very misguided, compliance officer has told them to do.

”If you get X security door, with Y access control system paired with Z security camera than you are totally safe.”

Flat Physical Networks: A Dangerous Flaw

If I was to ask if anyone thinks that it is a good idea to make everyone within the cyber network a domain admin for their convenience, I would hopefully get a lot of laughing and nobody arguing as to why its an awesome idea.

Yes, having everyone on the network have full rights to every system, protocol, etc is very convenient for the workers, but also very dangerous since any one of them can compromise the entire network … seeing as how they not only have access but basically can do anything they want.

Allowing everyone unrestricted access within a building, from the CEO to the intern, is just as dangerous as leaving your network permissions wide open. A flat physical security network means that once an intruder bypasses the perimeter, or an insider threat decides to do harm, they can move freely, accessing critical areas like server rooms, sensitive data centers, or executive meeting rooms and offices.

Now, with both front heavy security and flat physical networks outlined, we can begin working on how to address and resolve them.

Understanding the Threats

With the above two concepts out of the way, the next thing we need to focus on are the actual threats posed from both inside and outside of the organization.

I have written A LOT about both, but you can look through the post history to find stories and concepts of insider attacks. It is vital that your client understand what the threats are and why it is vital to resolve them before they become a problem.

The External Threat

External threats are generally what most clients think of first. These include thieves trying to steal equipment, corporate spies aiming to capture intellectual property, or hackers attempting to physically access servers.

These actors typically operate without any prior access to the building, and their efforts revolve around bypassing physical barriers, evading detection, or exploiting weak entry points.

This is they type of thing you will simulate during a black team engagement, but is less likely to occur in the real world. Outsider threats are a trade off, they are far less common to major organizations, but often devastating if done properly by skilled attackers.

The Insider Threat

Insider threats are far more insidious. These are current or former employees, contractors, or vendors who have legitimate access to the building and systems but use this access inappropriately, either through negligence or malicious intent.

As I wrote about here, most organizations don’t realize who actually is holding the keys to their organization and therefore their kingdom. And often when you elaborate that the least paid, most under valued employees are the ones with total control to their organization, it tends to shock them.

Insiders have all the access, and all the time they want to attempt to compromise an organization. So when you ask the client about this, they often give you some response of “ya but its never happened and there is nothing we can do to stop it”.

Comparisons

Many companies spend millions of dollars safeguarding themselves from ransomware attacks, even though they may have never been targeted. This investment often includes advanced firewalls, intrusion detection systems, and cybersecurity training to prevent a devastating breach, and cyber security personnel.

While these digital defenses are crucial, it highlights a paradox: businesses are willing to invest heavily in preventing something that hasn’t happened yet, but often neglect physical security, even though it's an equally critical threat vector. An attacker who gains physical access to a company’s systems could bypass many of these expensive digital defenses, showing that a balanced approach is essential for full protection.

I often point out this comparison to client’s and regularly see a connection being made for the first time, that yes, they are willing to spend an almost unlimited amount of money protecting their cyber network but nearly nothing on physical despite both being vulnerable and risking catastrophic issues.

I sometimes use a line such as,

“ Your cyber threat landscape is huge, with websites, email services, mobile apps, etc … but you spend millions of dollars ensuring that the possibility of major breaches are near zero.

Your physical threat landscape is very small, maybe just a single building, but any skilled attacker has an almost guarantee of catastrophically compromising you if they tried.”

This comparison and realization can often help the conversation along, because the client realizes the disparity in both spending and concern. Their eyes and ears really perk up when you explain that no amount of cyber security will protect you once I have physical access.

Telling them that all their money and protections are useless if an attack simply physically bypasses all of them and goes straight to the server room, board room, archives etc.

Solutions to Common Security Pitfalls

In a previous post, I discussed the most cost-effective way to enhance your physical security, which is a form of security and employee awareness and engagement called CAT (Catch, Award, Try again).

CAT is a type of employee awareness and engagement that gamifies security breaches. Employees become used to looking for intruders and actively, and more importantly volunteer, to locate and stop threats because you have rewarded them with something they actually want, that the company can actually afford … TIME.

This type of catch and reward based system is so powerful, because it benefits everyone from the employee, business owner and yes even you the consultant.

• The client can afford the solution and it drastically increases their overall security

• The employees enjoy the game, boost moral, and offers them paid time off

• The consultant builds rapport with the client for offering a solution that checks all the boxes
  

I encourage everyone to read about the CAT method and encourage all of your clients to adopt the protocol as it is by far the most cost effective ways to increase your physical security, without breaking the bank.

The beauty of the CAT method, is that it also helps with the next part of this issue, segmented physical allowance within the building … IE don’t make everyone domain admin within your building.

Every sensitive area within your location should be segmented to only allow those with the need to have access. There is no reason, no matter how convenient, for the intern to have access to the server room, so it must be segmented in a way that prevents such personnel from entering.

In my experience, those organizations that adopt the CAT method mentioned above, often see personnel much more likely to approach unknown people within restricted areas and contact security. This is because they are no longer in fear of getting into trouble and possibly even getting a really nice reward.

Lastly, and this is really the only costly method to increasing security, is to perform a proper security audit. Audits look at your physical security through the lens of an attacker and not strictly from the lens of a compliance officer.

It looks at every security feature you have and asks the question,

“If i were an attacker, how could I get past this?”

Most organizations are not ready for pentests, and without a proper audit, the pentest may have little actionable value to your client. So always start with an audit to bring your client’s security up to a high level, before you even talk about pentesting.

Lastly lastly, you will need to help your sales dept make these agreements with the client, and I have written about some tips for that here

Conclusion

While no system is completely breach-proof, the idea that a physical intrusion is inevitable, and therefore unpreventable, is a fallacy.

By understanding the weakness of front-heavy security and a lack of employee engagement, companies can better begin to resolve their physical security threats.

Implementing the CAT program, segmenting their physical security and if possible running either audits or pentests can all drastically increase an organization’s overall defense against attackers.

Security has three components:

1. Compliance - the security tools

2. Defense - how those tools are used

3. Offense - reality checking the defense

Solid security will always have all three of the above, make sure that your organization properly utilizes them all.

Training Resources:

For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.

• Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists

• Physical Audit Training - 2 day course on how to setup and run a physical security audit

• Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming

• Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.

• Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.

• Private Instruction - Focused learning & training based on your needs .