top of page
Search
Writer's pictureGary DeMercurio

Gov Agents? Police? Neither are likely your company's best choice for leading Physical Security.

I did some digging today and tried to find the most common reported ways a bad actor gets access to a building or structure. As you can't gather data on things you aren't aware that happened (see covert entry) this is what I could find, in no specific order. 

1. Forced Entry: This is when an intruder uses physical force to gain entry, such as breaking windows or doors. 

2. Lock Picking: Self explanatory 

3. Unauthorized Use of Access Cards or Keys: using someone else card. 

4. Tailgating/Piggybacking: This is when an intruder follows an authorized person into a building. 

Aside from #1, how much effort is really being put into stopping the other 3 at your company? If your company is putting effort into any of those, the next question would be, how well versed are those making your companies policies and procedures, testing and implementing defenses? Did they read about it? Have they watched videos? Perhaps they went to a conference somewhere and saw a demonstration? 

What's disturbing here is the vast majority of the time, when it comes to the physical and human element of security, companies often implement policies and procedures based on exactly that. Implementation of security measures based on cursory experience. You wouldn't hire someone to do accounting that only watched a few videos on book keeping would you? 

Maybe your company would replace your CEO because a candidate watched a few episodes of undercover boss? 

Perhaps have someone who has no knowledge of systems, that is simply a gamer, rebuild your network? They "work" with computers right? That should be enough. 

Of course you and your company would never do that, it's ridiculous. Yet those same companies hire police officers, former gov. agents or even real estate agents (as they group physical security in with facilities management) to head up "Security". Yet, none of those positions actually have any experience in the prevention of bypassing security measures or defense against social engineering. VERY few have any real experience in securing physical access or buildings beyond posting guards and setting up CCTV. And even fewer know the basics on how a door works, how a lock works, which padlocks can be bypassed, where a request to exit sensor SHOULD be located for security, or how your companies RFID cards actually work. 

Food for thought, if your security team isn't up to date on the latest attacks, bypasses, threats and what the "bad guys" are REALLY capable of, how do they perform an accurate risk assessment or audit? 

Here are some duties your physical security department should be performing and providing to your C class or Board: 

Risk Assessment, Physical Security Audit, Policy and Procedure Review, Security Culture Assessment, Technology Evaluation, Incident Analysis.

None of which can actually be done properly without knowledge of advanced techniques or what real world adversaries are doing, what their capabilities are and how they implement them. We have taken control of physical security systems remotely, we were able to open and close, unlock and lock every door in a high security facility that housed hundreds of millions of dollars of precious items. Would your physical security team even know? Do they have the expertise, or at the very least the cross training to recognize something malicious? How would your physical security team perform an audit of their technology without actually understanding how that technology works or how it can be manipulated? Most likely, someone says.. "Yeah its working, camera coverage is adequate and we keep back ups for 7 days, audit complete!" 

Everyday, the good ole boy network hires someone from law enforcement to head up corporate security for a company. If that company was in the business of arresting people, or ensuring the law was adhered to, it would be a stellar hire. Any other time, it's typically not. 

We as an industry need to stop looking at is as cyberphysical or corporate espionage security and start looking at it as simply "security". 

Your current "physical security" should know your companies network, how to access it, what should and shouldn't work. The days of police officers or agents (CIA, FBI or real estate) "securing your building", while your IT department "secures the network" and well, let's be honest here.. NO ONE secures the human element of security, is an archaic and outdated security posture that needs to be left in the past. 

Expect more, nay, demand more from your security. 

No one is asking you to fire anyone here, there are a few physical security people we have worked with that have busted their humps to learn, they also understand their limitations, then ask for help. What unfortunately is status quo is the refusal for most in these positions to admit to what they don't know, or even worse, not doing the due diligence to understand what they should be learning. Physical security no longer has the luxury of saying, "well I was in the secret service, I've had training". Guess what? Your training is obsolete when it comes to bad actors and all of the ways they can break into your new corporation. Are you hiring that Secret Service agent to do personal security for your C Suite? AWESOME, I wouldn't want anyone else. What it doesn't mean however, is they have the skills needed to be head of your physical security, yet. 

We need to ensure those in positions of safeguarding assets have the proper training and to ensure that the right people are put into the right places because they have the proper knowledge, not just because they were an agent, or an officer that went out and got a certificate in physical security (want to take a guess who made most of the training for those certificates?). 

In the meantime, I have included for your viewing pleasure, an example of a facility, ran buy a former CIA agent that "knew everything" and was against us testing the facility as "It was a waste of time, the facility is secure". If I remember correctly he also said something to the effect of "What do hackers know about physical security?", If it wasn't for the company's VP of compliance, we never would have been here. (Note: This is NOT simply a one off instance, most physical security at companies do everything that can to NOT have us show up and test them.) This is how we typically get into most of your "secure" facilities. Thanks Justin Wynn for demonstrating one of our "advanced techniques".

1 view0 comments

Comments


bottom of page