Physical Security - Effective Visitor Management

Physical Security

This is one area where IT security team work with the Admin/Facility team. The responsibilities are different. Some of them are mentioned below. Through this article, I would like to explain more about some of the risks and mitigation strategies.

Responsibilities related to Physical security include

  1. Ensuring that security perimeters are physically sound.
  2. Ensuring that all external doors are secured against unauthorized access.
  3. Ensuring that doors and windows are locked when unattended.
  4. Physical barriers are in place to prevent unauthorized access.
  5. Intruder detection systems should be installed and monitored.
  6. Fire doors should be alarmed, monitored, and tested.
  7. Protection of media.
  8. Ensuring that employees and visitors are wearing visible identification.
  9. Any unescorted visitors should be immediately reported to security.
  10. Ensuring that third parties are granted restricted access to secure areas only when required.

Here, I would like to discuss about the last 3 points. (8,9 and 10). This is some area where the controls are vulnerable to social engineering attacks. What are the threats involved here? What are the mitigation controls? We will discuss those below.

In most of the companies, in reception, there will be a receptionist or a security guard these days. If someone wants to visit an employee, the receptionist will ask for the details and provide a visitor book and asks to put down their signature. Then they will call the employee to verify whether the visitor is legitimate or not. Based on that, a temporary ID card will be issued. Then the employee will come and take the visitor inside to a meeting room. After the meeting, the visitor will come out and make an exit entry in that visitor book and hand over the temporary ID pass. This is the normal process.

We will discuss about the risks involved in this first.

Suppose a visitor comes and the receptionist asks him/her to enter the details in the visitors book, then they may be able to see the previous visitors. If a previous visitor was from say “ABCDE Inc.” visiting the “IT Department” then they could potentially be a third-party support technician. If they came by car, then they will look at the registration details, the social engineer could simply search for the car in the parking lot and wait until they return to their car to see how that person has dressed, what tools they were carrying and even chat with them to elicit more information. This is all excellent information to aid in possible impersonation attacks.

If the reconnaissance revealed the name of someone in management and the sign-in sheet revealed that an individual was visiting that person, then the social engineer could use that to gain credibility. They could potentially contact that manager claiming to be the individual’s colleague; “Hi, I understand that my colleague XYZ visited you today, could I ask how the meeting went?” From the manager’s perspective the caller must be genuine or else how else could they possibly know about the meeting?

Another issue is when the social engineer doesn’t know anything about the person who he wanted to meet. So he will guess a name to the receptionist and get to the stage of signing in.However, they could simply write down false information and provide a contact they know isn’t there. When the receptionist informs them they could simply claim that they’ve obviously made a mistake, apologize and leave without incident. This will make them more familiar with the environment.

Another thing is when the social engineer arrived, signed in and then told the receptionist that the primary contact wasn’t in but said it was fine for them to work unassisted, would the receptionist know what to do?If the social engineer dropped enough names, explained a very plausible situation, looked right and sounded convincing, the receptionist may well accept the social engineer’s reasoning for dismissing the procedure. In fact, in the phase of not knowing what to do, accepting the social engineer’s reasoning would likely be a tempting solution to the problem.

The social engineer may explain that they’d already spoken to their manager XYZ and she said it would be fine to be unescorted, knowing full well that manager XYZ is away on business presently.

Procedures are not always designed with security in mind, focusing more on trying to keep the businesses running smoothly. The simple lack of “if then” and “what if” statements create situations where the employee is left to interpret the procedure, which leads to situations that social engineers can potentially manipulate.

How we can mitigate these risks? Yes, I agree that Security Awareness is one way of dealing it. Receptionists or the Security personnel who sits out in reception should undergo rigorous security awareness training to counter these sorts of social engineering attacks.  But humans can still make mistakes.

Do we have a tool that can control and manage the visitor’s access without much hassle?

Yes, we have those softwares like EasyLobby(HID), Spectra, Envoy, Capsure, Passage Point, Fast-Pass etc.

We can integrate with a wide variety of access control systems to provide access cards to visitors directly from the visitor management station. These tools enable all the employees to pre-register their visitors via internet or corporate internet. This will ensure that only legitimate users will be visiting the facility and some of the tricks I mentioned above won’t be effective for a social engineer.We could also create internal watch lists to screen against unwanted visitors. Also it is possible to use external databases to screen against government denied parties and be warned of their attempted entry through programmable security alerts delivered on-screen, or via email or SMS.

Coming back to the visitor access issue, these tools would allow organizations to grant temporary card or barcode access at the time of check in with an expiry time. So in case if the visitor takes the access card home also, it won’t work in future.  And when the visitor reaches the reception and completes the formalities the employee would receive an email about his arrival and can act accordingly.

So the point is we should start thinking about the next generation access control systems where we would be able to overcome any social engineering tricks.

Views by Aju Nair

Rate this article: 
Average: 2.5 (8 votes)
Article category: 

There are 3 Comments

Well written article. This is indeed the neglected area of physical security but the impact could be really high if the threat source has stronger motivations than the controls in place (which are mjaorly - the manual controls).
I would like to know whether companies have started deploying the automated solutions as mentioned above or is it still in the nascent stages ?

Well written article. This is indeed the neglected area of physical security but the impact could be really high if the threat source has stronger motivations than the controls in place (which are mjaorly - the manual controls).
I would like to know whether companies have started deploying the automated solutions as mentioned above or is it still in the nascent stages ?

Yes Devesh. Threatscape has changed a lot now. We wont be able to accomadate any small sort of negligence these days. Companies already started thinking about these automated solutions. When I did the reasearch about this, for a particular vendor who sells these integrated solutions, I could see a long list of customers. This is a good sign that the companies has started thinking positively and deploying these effective solutions. And unfortunately, companies are more interested in other technical controls. Physical security is something they wont consider much seriously, but the impacts are really high.