One very important topic warranting a comprehensive lesson is physical security. The SANS Institute explains, “When addressing physical security, locking your doors and desk/file cabinet drawers should be the main focus.”
Securing the building’s perimeters and internal areas containing sensitive information is an important first step towards security, and employees must to be aware of this importance. However, in my social engineering experience, locked doors have never prevented me from gaining entry into a building. This is because a company employee has always allowed me access whenever a locked door stood in my way.
My reasoning for needing access to a building has ranged from, “It’s my first day, and apparently, they didn’t set my badge upright,” to “I accidentally left my badge in the meeting room. I usually work in the building next door.” Often times, merely tailgating employees as they badged into a restricted area, pretending to badge in behind them has proven to be highly successful. (One vulnerability of most badge readers is the fact that they produce the exact same sound for a failed badge as they would for an accepted badge. Therefore, the tailgated victim hears the badge reader’s all too familiar ding and assumes the stranger behind him must have a viable badge.)
This is where locking desks and filing cabinets come into play. In my experience, many times filing cabinets which should be locked will have the keys in the actual locks! If the key is turned in to the locked position but is left in the locking mechanism, the filing cabinet is not actually locked, and this concept seems to be overlooked by many employees. Additionally, having roamed the buildings of many companies, I have noticed that unattended desktops are often left unlocked. A malicious individual does not need but a couple minute’s access to a logged-in workstation to compromise the computer and its data.
Employees assume because their computers are behind locked doors, they are safe and fail to log out when they walk away. Clearly, this is not the case. Therefore, all employees need to be made aware of the seriousness of physical security when protecting sensitive data and working in restricted environments, and they must feel empowered to question a stranger’s presence in these areas.