Lessons from Physical Intrusion Testing: Testing Layers of Security
This is the second of several articles where I’ll be sharing a few lessons learned relating to physical intrusion testing.
In the first article, I provide some background and context, and discuss the importance of modelling a specific threat for an intrusion test.
In this article, I’m going to focus on the value of testing multiple layers of security during an intrusion test.
Lesson 2. Test layers of security
I’ve seen a lot of intrusion test reports for commercial offices where the person conducting the intrusion spent a lot of time focused on outer layers of security. While not completely useless, the concern here is that — in cases where the intruder is unable to get past these outer layers of security — the subsequent layers of security remain untested.
For most commercial office buildings, getting through the first layer of security is typically easy, and can be achieved with good timing and a little bit of luck. However, from the perspective of identifying vulnerabilities in security design, getting through the first layer of security doesn’t provide a sufficiently rigorous result because it doesn’t represent the full depth and scope of a facility’s security. Assuming the intruder’s objective is to get to a more secure part of the facility, an intrusion that gets past lobby security but can’t proceed past that point does not provide sufficient value.
Of course, a failed intrusion doesn’t mean a failed intrusion test. A failed intrusion validates the effectiveness of existing security measures. The problem is that an intrusion that fails too early simply doesn’t represent a sufficiently rigorous test and won’t yield a rich set of results. If the client’s objective in conducting the intrusion test is to identify vulnerabilities, failing at the first layer of security will only provide a small sample of the overall security challenge. It’s like reading the first two chapters of a book and then trying to write a comprehensive book review.
Let’s briefly touch on some security theory to provide some context.
Security-in-depth (or defence-in-depth) is a fundamental principle of security design. According to this principle, assets should be secured behind multiple layers of security. The more valuable the asset, the more layers of security there will be protecting that asset.
Each layer of security will be protected by a combination of barriers, secured access points, access control systems, intrusion detection systems and security surveillance. Not to mention security officers and employees. While it may be relatively easy to get through one layer of security, it should be significantly more difficult to get through two or three layers of security. Getting through different layers of security also requires different skill sets.
In a perfect world, an intruder would be detected at the outermost layer of security and would be apprehended well before they can reach their target. For example, the intruder may be observed climbing over the perimeter fence by security officers monitoring the video surveillance system. The security officers can then either move to interdict the intruder or can call law enforcement. Alternatively, an intruder may use tools to access an external fire escape door, setting off an alarm which will trigger a response by a commercial security company (which may or may not arrive on site before the intruder has been able to achieve their objective).
Let’s look at security-in depth from the perspective of an intrusion that progresses well into a facility. Let’s say my objective was to get to a document stored in an executive’s desk. To get to this file during working hours, I may need to enter the building via an unlocked public door, get through a turnstile that requires a valid access card, get into a lift, get out at the correct floor, enter a lobby door secured by access control, move unchallenged past a reception counter, move unchallenged through the office area, wait until the office is unoccupied, and then go inside the office and take the document from the drawer. Then, I’ve got to get out of the building without being confronted by employees or security officers. Not easy even on a good day.
For this example task, I would have to get past two reception counters (at the lobby and on the executive’s floor), at least two access points secured by an access control system (the lobby turnstiles and the access door on the executive’s floor — each of these probably require a different access card), then move through an office area where everyone probably knows everyone else, then wait around in that office area until I’m sure the coast is clear, and then — finally — walk into an office and take something from a drawer. Hopefully the drawer isn’t locked!
What I wouldn’t necessarily have to contend with in this example is the intrusion detection system (which would be off during working hours). While I would pass by security cameras, it would be unusual on a normal work day for security officers to detect an unauthorised entry by monitoring the camera feed (if the feed is monitored at all). So, at least there’s some good news.
From the perspective of an intrusion test, each layer of security is a checkpoint. As the intruder approaches each layer of security, there’s the possibility they won’t be able to proceed any further. These layers of security not only filter people into specific areas, but also provide friction and uncertainty for the intruder. While it may be possible to breach one layer of security, breaching several layers will be measurably more difficult.
Consider the threat’s objective
This is a good point in the article to reinforce the importance of modelling the threat, which I discussed in detail in the previous article. If the objective of the intruder is to harm employees, they may only need to access the lobby or car park to be able to achieve that objective. If you were modelling a terrorist threat, for example, being able to access the lobby of a facility with a device during a busy time of the day would be enough to achieve their objective.
(As an aside, modelling an intrusion of a terrorist that’s only objective is to access the lobby may not seem like a very ambitious intrusion exercise. But don’t forget the fact that the individual would conduct reconnaissance before the attack, which will yield useful insights for security planning. The individual would also need to enter the lobby with a bag or vest containing a device. In locations with a known risk from terrorism, this would not be easy due to the security controls and checks on entry. Modelling terrorism threats during intrusion testing is clearly a risky endeavour, and demands detailed planning and risk management).
Visible and invisible security measures
From the perspective of the individual conducting the test, the outer layers of security measures — particularly those in public areas — are visible. The intruder can learn about these measures through reconnaissance and surveillance. A casual stroll through the public lobby of a commercial building will give you a good sense of security camera positions, security officer posts, and lift lobby access control arrangements.
What makes an intrusion difficult is what lies beyond the lobby or an external door — the subsequent layers of security that can’t be observed during reconnaissance and surveillance. The known unknowns. The fact that the intruder doesn’t know what they’re going to run into next, combined with the fact that they are likely to run into increasing levels of security as they approach their objective, significantly increases the overall complexity of the intrusion.
For these reasons, it honestly doesn’t matter that much if the intruder is able to get through the lobby turnstiles. Good for them. I’d be more interested in how they navigate their way through an office area they are not familiar with and deal with employees who demand to know who they are and what they’re doing going through an executive’s drawer. By doing this, you’re not only testing physical security, but also other aspects of security, including security awareness.
A more radical approach
Here’s a more radical approach you can use for some intrusion exercises: let the person conducting the test into the lift area, and let them start their intrusion from there. Don’t waste their time and your money messing about with lobby security and turnstiles. Let the person conducting the intrusion test focus on solving the problems that come after the lift lobby. You’ll find you’ll learn a lot from this approach.
Of course, giving the intruder a head start doesn’t apply to all facilities. For some facilities, the outer layers of security are the most important. Examples in this category include hotels, data centres and logistics facilities, amongst others. If you’re testing the security of an office in a multi-tenanted facility, however, I suggest you cut the foreplay and start the intrusion past the lobby turnstiles. At the least, give this approach a go and see what you learn. If you’re conducting a programme of different tests in a year, you can combine approaches to achieve the best results.
To wrap up, the key focus of any intrusion test should be on evaluating the effectiveness of multiple layers of security. It will be difficult to achieve this objective if the primary focus is on just getting through the outer layers of security. The aim should be to test as many layers of security as possible. If you need to, give the intruder a head start.