Inverifi logo

ISO 27001 Controls: Physical Security

Keep your keycard safe and avoid malicious actors

Hold onto your office keycard

If you work for an organisation that takes security seriously, then, in all likelihood, physical security is an important consideration for each and every employee.

For you, this probably means taking reasonable measures to prevent unauthorised people from entering the office where you work. Perhaps most significantly, this means ensuring that you always know where your keycard is.

ISO 27001:2013 annex control A.11.1.2 requires measures to be taken to prevent unauthorised entry into secure areas.

Keep your keycard safe

If you leave your keycard unattended in a public location, then, of course, anyone can steal it. Furthermore, if they saw you leave it, they might know who you work for, and from there, they could probably find the address of your office pretty easily.

The risk of leaving your keycard unattended at your office may not seem like such a big deal – but think again. Do people, other than employees, ever visit the office?

Perhaps your office regularly receives deliveries; perhaps multiple times per week, and from different delivery people. Perhaps employees’ family members, and friends, occasionally visit your office.

When someone, other than an employee, visits your office, you can’t necessarily trust them. If someone visited your office with malicious intentions, and they happened to see a keycard lying around, there’s a decent chance that they’d steal it.

Here at Inverifi, thanks to dishing, if I left my keycard unattended on my desk, I could be almost certain that a malicious colleague of mine would steal it. Following that, the entire company would give me a hard time for my negligence, I’m sure.

Unauthorised Access

Imagine a malicious actor, trying to gain unauthorised access to the office where you work. For the sake of this exercise, we’ll call her Eve.


Once Eve is in your office, what can happen? She’s gonna get caught; her stolen keycard will be confiscated, and then she’ll be kicked out. Surely she can’t do that much damage before then – right?

 

Well, I’m afraid not.

 

Firstly, she will be caught – but not right away. How many times have you seen a complete stranger in your office, and not questioned it? You might remember a higher-up talking about hiring a new employee, and assume that’s who Eve is.

A “Secure” Environment

Once Eve has gained access to your office, she’s in a location that you and your colleagues consider to be secure, where people tend to let their guard down.

 

As long as Eve can make use of social engineering, and she can avoid being seen by high-ranking employees, she can probably collect quite a bit of information, simply by remaining present.

Shoulder Surfing

The subject of shoulder surfing was covered in a previous blog entry.

 

Shoulder surfing in public can be difficult. Firstly, most people in a given public location aren’t necessarily conducting business – and those who are, don’t necessarily work for the specific organisation Eve might be targeting.

 

By contrast, shoulder surfing in an office is much simpler. Eve is in an office full of people working for the organisation she’s targeting. She’s also in a “secure” location, where people are much more likely to have sensitive information on their screens.

 

As long as Eve doesn’t draw too much attention to herself, she can watch screens to find out about secret company plans, employee records, and confidential customer information. She could also eavesdrop on private conversations and meetings.

 

But what if Eve isn’t able to get all the information she needs? What if she gets kicked out before she’s able to find anything juicy? Well, she might still have an option…

Bugs

No, not software bugs; I am referring to hidden recording devices.

 

Try this: search ‘hidden camera’ on Amazon. You’ll find that there are plenty of options to choose from. I found one disguised as a pen, and another disguised as a car key – and for well under £100, I could buy both, and have them delivered to my door, tomorrow.

 

In order to use these tools effectively, Eve would only have to visit your office twice; once, to deploy the hidden cameras, and once more, to retrieve them. If all goes smoothly, each visit should take less than 15 minutes.

 

Alternatively, if Eve can access an office, unsupervised, she could replace one of the existing power strips with this one. It has a built-in microphone, and a cellular modem. This is basically a power strip, with a mobile phone hidden inside it.

 

From there, when Eve is feeling nosy, she can phone the number on the power strip’s SIM card and start listening. Alternatively, she could add credit to the SIM card, and the power strip will upload its recordings to a server, using its cellular internet connection.

 

And once this power strip is set up, who knows how long it’ll be before someone finds it? Frankly, after doing my research for this blog entry, and seeing what’s available, I’m thinking of tearing all my power strips apart.

Final thoughts

If you work for an organisation that deals with sensitive data, you should do your bit to make sure physical security is upheld at your office – and all of your colleagues should do the same.

 

As mentioned at the start of this entry, you should ensure that your keycard is always in a secure location. You should always have it on you when you’re at the office, and keep it in an undisclosed location when you’re at home.

 

Furthermore, if you invite someone into your office, who doesn’t work there, you are responsible for ensuring that their visit doesn’t undermine your employer’s security. You should ensure that they’re being watched at all times during their visit.

 

If you know someone who, perhaps, doesn’t take physical security all that seriously, consider sending them a link to this blog entry.

 

 

 

More blogs you might like

Want to learn more?

Or get in touch...