First published by Grant Rayner on 26 Jan 2022
6 min read
One of your first thoughts when planning a physical intrusion test will be “how can I defeat the security measures at this facility?”
How do you bypass a door fitted with alarm sensors? How do you avoid detection by Passive Infrared (PIR) sensors? While interesting problems to solve, such an approach misses the fact that many facilities are inherently vulnerable simply as a result of poor security design.
As you’ll learn in this article, it’s possible to gain entry to some facilities without defeating existing security systems, simply by taking advantage of poor security design.
This is the seventh in a series of articles where I’ll be sharing lessons learned relating to physical intrusion testing.
The first article highlighted the importance of modelling a specific threat for an intrusion test. The second article focused on the value of testing multiple layers of security during an intrusion test. The third article focused on reconnaissance and surveillance, and the fourth article introduced overwatch. The fifth article focused on safety, while the sixth explored distractions and diversions.
There are several aspects of security design that can be exploited by an intruder during an intrusion test. The easiest way to work through these aspects is to group them into categories of design flaws. I’ve broken down these categories into four areas:
The advantage of exploiting flaws in security design during a physical security intrusion test is that you can provide valuable feedback to your client on actual security design problems.
Your recommendations will (or hopefully, should) result in corrective action that fixes serious security vulnerabilities.
In the following sections, I’ll expand on each of these categories and provide examples.
As you start the process of surveillance and reconnaissance on a facility, one of your first priorities should be to identify security equipment that should be there, but isn’t. Here’s a few examples of missing security equipment:
The key challenge you’ll face as an intruder is that it’s easy to see what equipment has been installed. It’s harder to identify what’s missing. While you’ll be able to see into the inner perimeter and perhaps access public lobbies during your surveillance and reconnaissance, it may be difficult to identify specific security equipment and difficult to identify what’s missing. Of course, it will be impossible to determine what’s missing inside the facility, in those areas you’re unable to see from public areas.
You could learn what’s missing using the following techniques:
Once you identify one flaw, you may be able to extrapolate to other similar features of the facility. For example, if you identify that one exit door is alarmed, you can assume that other exit doors will be alarmed as well.
If you’re lucky, from time to time you’ll come across situations where security equipment hasn’t been correctly installed. Here’s a few examples:
Some of these examples will be more difficult to confirm than others. Some might be assumed, based on other indicators. A good example is the last point, regarding the video wall. You won’t be able to determine how the video wall is set up during reconnaissance and surveillance. However, if the facility has a lot of cameras, you might be able to assume the video wall will be cramped. Also, if the site has a small guard force, you might assume that only one or two people will be monitoring the cameras. It will be extremely difficult for one or two people to effectively monitor the feed of dozens of cameras. Of course, be careful making assumptions and try to verify if possible.
While technically not security design, poor maintenance can certainly present vulnerabilities for an intruder to exploit.
Poorly maintained fences can provide opportunities to enter the perimeter without detection. As an intruder, you may be able to identify gaps in the fence or may be able to take advantage of overhanging foliage to enter the perimeter.
In cases where the perimeter area is poorly maintained, foliage may obscure security cameras or alarm sensors. Foliage can also trigger false alarms. Repeated false alarms will either result in security officers ignoring alarms in the affected location, or will result in them de-activating the alarm zone in that particular area. Nothing worse than repeated system messages interfering with a good game of solitaire.
Poorly maintained security cameras are more likely to show a poor image in the control room. Poorly maintained lighting can provide the darkness essential to move undetected at night. Some aspects of maintenance will difficult to determine. For example, it would be difficult for an intruder to determine how well security cameras or sensors are maintained just through observation. You could, however, take your cue from the general state of the facility. If the inner perimeter area is poorly maintained, that may provide some indication of the state of other systems.
Integrated security systems are more difficult to exploit. In practice, it will be difficult for an intruder to know the level of system integration without access to inside information. As a rule of thumb, you can assume that better companies will have better systems. In addition, if you see good security equipment installed at the facility, you can assume the organisation has also spent the money to integrate their systems. Larger facilities are more likely to have integrated systems than smaller facilities. When considering the size of the facility, think in terms of doors. A facility with one main access door and one card reader won’t benefit from an integrated system as much as a facility with multiple doors, and therefore multiple card readers and multiple sensors.
Also consider security cameras. An alarm activation at an access point is less significant if there are no security cameras covering that access point. Security officers may be dispatched to respond to the alarm, but by the time they arrive you should have already moved past that access point and deeper into the facility.
The larger the security system (total card readers, sensors and cameras), the more complex the system will be, and the more difficult it will be to manage. Security officers in the control room may not be able to navigate all of the features of the system, presenting vulnerabilities. Again, it would be difficult to know about these vulnerabilities in advance.
The sections above have focused on vulnerabilities with security technology. Similar considerations can be applied to the guard force. An under-staffed and over-worked guard force can present vulnerabilities, as can a poorly trained or poorly disciplined guard force.
Inattentive security officers are the weak link for all security systems. If security officers aren’t actively monitoring cameras, then it doesn’t matter how many cameras are installed at the facility. Security officers may not notice door held open and door forced open alerts, or if they do notice, they may ignore them. Similarly, they may also ignore repeated alarm activations. You can also make security officers focus their attention on another area by using distractions or diversions.
Vulnerabilities in security design can provide opportunities for you as an intruder when conducting physical intrusion tests. Missing equipment, incorrectly installed equipment, and equipment that’s been poorly maintained all provide vulnerabilities that can be exploited. Poor integration can also provide an opportunity, if you’re able to determine the vulnerabilities. While the focus here is on you as an intruder, there are also a lot of lessons here for facility owners. The good news is that security design flaws can be corrected, often easily and without significant expense.
How you can integrate distractions and diversions into your physical intrusion tests to enable you to access the facility and achieve your objectives.
25 Jan 2022 · Read now
Exploring the different aspects of safety you should consider during your physical intrusion tests
27 Dec 2021 · Read now
When to use overwatch, how to position overwatch, and how to communicate with overwatch during an intrusion.
22 Dec 2021 · Read now
How to integrate surveillance and reconnaissance into your physical intrusion tests.
06 Aug 2021 · Read now
Exploring the value of testing multiple layers of security during an intrusion test.
23 Jul 2021 · Read now
Why it's important to model a specific threat when conducting physical intrusion tests, and how to go about the process of establishing a valid threat model.
22 Jul 2021 · Read now