Lessons from Physical Intrusion Testing: Exploiting Poor Security Design
One of your first thoughts when planning a physical intrusion test will be “how can I defeat the security measures at this facility?”
How do you bypass a door fitted with alarm sensors? How do you avoid detection by Passive Infrared (PIR) sensors? While interesting problems to solve, such an approach misses the fact that many facilities are inherently vulnerable simply as a result of poor security design.
As you’ll learn in this article, it’s possible to gain entry to some facilities without defeating existing security systems, simply by taking advantage of poor security design.
This is the seventh in a series of articles where I’ll be sharing lessons learned relating to physical intrusion testing.
The first article highlighted the importance of modelling a specific threat for an intrusion test. The second article focused on the value of testing multiple layers of security during an intrusion test. The third article focused on reconnaissance and surveillance, and the fourth article introduced overwatch. The fifth article focused on safety, while the sixth explored distractions and diversions.
There are several aspects of security design that can be exploited by an intruder during an intrusion test. The easiest way to work through these aspects is to group them into categories of design flaws. I’ve broken down these categories into four areas:
- Equipment that should be there, but isn’t
- Equipment that hasn’t been correctly installed
- Equipment that’s been poorly maintained
- Equipment that’s poorly integrated
The advantage of exploiting flaws in security design during a physical security intrusion test is that you can provide valuable feedback to your client on actual security design problems. Your recommendations will (or hopefully, should) result in corrective action that fixes serious security vulnerabilities.
In the following sections, I’ll expand on each of these categories and provide examples.
Equipment that should be there, but isn’t
As you start the process of surveillance and reconnaissance on a facility, one of your first priorities should be to identify security equipment that should be there, but isn’t.
Here’s a few examples of missing security equipment:
- External doors with no security cameras covering approaches to the door.
- External emergency doors with no alarm sensors and no door monitoring.
- Gaps in video surveillance coverage in the inner perimeter due to the necessary cameras not being installed.
- Sections of the inner perimeter where lighting is not installed.
- Sub-optimal video surveillance coverage because cameras are positioned too far apart. An intruder working at the far end of a camera’s range is less likely to be identified by a security officer monitoring the system, particularly at night.
The key challenge you’ll face as an intruder is that it’s easy to see what equipment has been installed. It’s harder to identify what’s missing. While you’ll be able to see into the inner perimeter and perhaps access public lobbies during your surveillance and reconnaissance, it may be difficult to identify specific security equipment and difficult to identify what’s missing. Of course, it will be impossible to determine what’s missing inside the facility, in those areas you’re unable to see from public areas.
You could learn what’s missing using the following techniques:
- Check inside publicly accessible emergency exit doors during reconnaissance to determine whether alarm sensors are installed on or inside the door, or whether security cameras are installed to cover the area inside the door.
- Use social engineering techniques to identify and contact your client’s security vendor and obtain equipment lists or technical drawings of the security system.
- Probe different aspects of security. For example, during reconnaissance, try to open an external door to check if the lock can be operated from the outside and to see whether the door is alarmed.
- Prevent a door from closing. If there is no response to an open door within a reasonable timeframe, it’s possible that the door may not be monitored (or that security officers may not be monitoring the access control system, or may be ignoring system alerts).
Once you identify one flaw, you may be able to extrapolate to other similar features of the facility. For example, if you identify that one exit door is alarmed, you can assume that other exit doors will be alarmed as well.
Equipment that hasn’t been correctly installed
If you’re lucky, from time to time you’ll come across situations where security equipment hasn’t been correctly installed. Here’s a few examples:
- Perimeter sensors that are only installed on one horizontal panel of a fence. If the fence is constructed of multiple horizontal panels, it may be possible to scale the fence undetected by avoiding contact with the panels with the sensors.
- Laser sensors along the perimeter that are deployed beyond their effective range.
- Security cameras that are poorly orientated, presenting gaps in coverage that could enable movement without detection by security officers monitoring the camera feed.
- Security cameras facing toward brightly lit areas of the perimeter, providing an intruder the opportunity to exploit lighting that may flare the camera and make it difficult for the security officer to identify movement.
- Lighting that’s poorly orientated, providing dark areas where an intruder is able to move and avoid detection.
- Landscaping objects that provide concealment for an intruder, obstruct observation by cameras or security officers, or obstruct lighting. This is separate from poorly maintained landscaping, which I’ll discuss below.
- Volumetric sensors that are poorly orientated or obstructed, enabling an intruder to avoid the sensor.
- Door auto-closing mechanisms that are too slow to close. If you’re able to access these doors during reconnaissance or site preparation, you can adjust auto closing devices to slow them down even further.
- Outward opening external doors, where the hinge pins are exposed and can be tapped out.
- Magnetic contact switches that have been installed on the outside of the door (weird, but I’ve seen it).
- Break-glass emergency exit switches installed on the outside of the door (also weird, but sometimes necessary to enable emergency egress).
- A video wall in the security control room that doesn’t show key scenes at a sufficient size to enable an intruder to be identified.
Some of these examples will be more difficult to confirm than others. Some might be assumed, based on other indicators. A good example is the last point, regarding the video wall. You won’t be able to determine how the video wall is set up during reconnaissance and surveillance. However, if the facility has a lot of cameras, you might be able to assume the video wall will be cramped. Also, if the site has a small guard force, you might assume that only one or two people will be monitoring the cameras. It will be extremely difficult for one or two people to effectively monitor the feed of dozens of cameras. Of course, be careful making assumptions and try to verify if possible.
Equipment that’s been poorly maintained
While technically not security design, poor maintenance can certainly present vulnerabilities for an intruder to exploit.
Poorly maintained fences can provide opportunities to enter the perimeter without detection. As an intruder, you may be able to identify gaps in the fence or may be able to take advantage of overhanging foliage to enter the perimeter.
In cases where the perimeter area is poorly maintained, foliage may obscure security cameras or alarm sensors. Foliage can also trigger false alarms. Repeated false alarms will either result in security officers ignoring alarms in the affected location, or will result in them de-activating the alarm zone in that particular area. Nothing worse than repeated system messages interfering with a good game of solitaire.
Poorly maintained security cameras are more likely to show a poor image in the control room. Poorly maintained lighting can provide the darkness essential to move undetected at night.
Some aspects of maintenance will difficult to determine. For example, it would be difficult for an intruder to determine how well security cameras or sensors are maintained just through observation. You could, however, take your cue from the general state of the facility. If the inner perimeter area is poorly maintained, that may provide some indication of the state of other systems.
Equipment that’s poorly integrated
Integrated security systems are more difficult to exploit. In practice, it will be difficult for an intruder to know the level of system integration without access to inside information. As a rule of thumb, you can assume that better companies will have better systems. In addition, if you see good security equipment installed at the facility, you can assume the organisation has also spent the money to integrate their systems. Larger facilities are more likely to have integrated systems than smaller facilities. When considering the size of the facility, think in terms of doors. A facility with one main access door and one card reader won’t benefit from an integrated system as much as a facility with multiple doors, and therefore multiple card readers and multiple sensors.
Also consider security cameras. An alarm activation at an access point is less significant if there are no security cameras covering that access point. Security officers may be dispatched to respond to the alarm, but by the time they arrive you should have already moved past that access point and deeper into the facility.
The larger the security system (total card readers, sensors and cameras), the more complex the system will be, and the more difficult it will be to manage. Security officers in the control room may not be able to navigate all of the features of the system, presenting vulnerabilities. Again, it would be difficult to know about these vulnerabilities in advance.
The sections above have focused on vulnerabilities with security technology. Similar considerations can be applied to the guard force. An under-staffed and over-worked guard force can present vulnerabilities, as can a poorly trained or poorly disciplined guard force.
Inattentive security officers are the weak link for all security systems. If security officers aren’t actively monitoring cameras, then it doesn’t matter how many cameras are installed at the facility. Security officers may not notice door held open and door forced open alerts, or if they do notice, they may ignore them. Similarly, they may also ignore repeated alarm activations. You can also make security officers focus their attention on another area by using distractions or diversions.
Vulnerabilities in security design can provide opportunities for you as an intruder when conducting physical intrusion tests. Missing equipment, incorrectly installed equipment, and equipment that’s been poorly maintained all provide vulnerabilities that can be exploited. Poor integration can also provide an opportunity, if you’re able to determine the vulnerabilities.
While the focus here is on you as an intruder, there are also a lot of lessons here for facility owners. The good news is that security design flaws can be corrected, often easily and without significant expense.