Pratum Blog

Physical Security

Would a criminal be able to walk into your building and steal private information? You hope the answer is “no”, but there are only a few ways to try to keep your business secure. Pratum has a solution for that; it’s called Social Engineering.

Essentially how this works is a business hires Pratum to test their physical security. In some cases, that means going to the business location and trying to enter the building or attempting to find sensitive information around the facility.

For each assignment there are two Pratum employees directly involved in the process. One does the physical entry work, while the others set up the parameters with the client to establish boundaries and expectations. In this blog we are interviewing one person who helps set up these tests, Tony Schwarz, Information Security Consultant. We’ll also hear from someone with a lot of experience testing physical security, Tanner Klinge, Information Security Analyst.

What are some methods of physical social engineering?

Tanner: I typically do dumpster diving and facility access. I use tailgating, where I follow someone without their knowledge into the building without a keycard or code to get in myself. Other times I will use piggybacking, which is where someone lets me into building by holding the door open for me because my “hands are full” or they are being polite. Sometimes I imitate a vendor or friend of an employee to get into the building. I do media drops, like flash drives left around the office or outside the building. I also check exterior doors to see if they’re locked.

When would a company need to use these services?

Tony: It’s all about their risk. If they have assets they need to protect, which most businesses do, they need to have those services done. They may see indicators that tell them that people are dumpster diving or trying to get in after hours, or see unexpected people going through the office. Having a third-party come in and test the controls that can show you what needs improvement. If you protect the money or personal information of customers, or if you have access to another location with sensitive data, you may need this.

Sometimes it’s due diligence. Sometimes it’s regulatory or compliance. Some auditors will request a social engineering report.

What sort of things have been uncovered in these tests?

Tanner: During dumpster diving outside offices I have found a lot; driver’s license numbers, social security numbers, addresses, full names, birthdays, personal banking information such as bank account numbers, pin numbers, and account totals.

I have found confidential or sensitive information from a business standpoint, like proprietary designs from a company. I’ve seen sales and finance information and HR documents.

There’s also been more personal stuff like child support documentation. Really all kinds of things!

How do you avoid being detected?

Tanner: There are times I will wear small disguises such as safety glasses or a fake badge that is visible. It depends on what I know about the company that I can use to blend in with the other employees. I’ve noticed people have a hard time engaging with others. People still don’t “see something, say something”. As long as I’m walking in with confidence people don’t question it. Most people do not like confrontation.

Are there safeguards for if you do get caught? To prove you’re there with permission.

Tanner: We’ve started talking to local law enforcement in the jurisdiction of the clients we serve. Then we notify police when and where we’ll be working. We will also carry ID and a statement of work (or contract with the company). Plus, we have a point of contact with the client, in case we need to reach someone to prove we are who we say we are.

What changes have employers made after our testing?

Tony: Some organizations will add or improve security controls related to the method Pratum is able to get into the environment. After events like this clients may either upgrade controls, or they accept the risk. An example control could be another layer of security between a reception area and the main part of their business.

How often should this be done?

Tony: At least annually, or more frequently if you have lots of things that were discovered, and you want to validate that your new protocols are working. It comes back to the risk. If you have a big room of gold or nothing, where on that scale are you? The more you have to lose, the more you have to do to put controls in place.

What does the client receive after a test? What is on a social engineering report?

Tanner: The clients are given photos and a synopsis. The photos are taken when I’m at the facility. They are proof of how far I was able to get and what I had access to. The report, or synopsis, details where I went and who I talked to. I try to be very detailed and give a chronological report. I want the reader to feel like they were there with me, to fully understand the situation.

What is the best result from these tests?

Tanner: I would need to be stopped at the door and approached by an employee. Someone should stop me in the first few minutes. Validation is key.

For example, I was at a bank and claimed to be a maintenance worker doing some work for the facility manager. I told the clerk a different name than my own. I looked around and said I needed to get behind a counter. I had a fake work order in hand to look legitimate. They did ask for my ID, so I handed over my real driver’s license, with a different name than what I told them. They made a copy, gave it back to me, and I signed the sign-in sheet. No one checked to see that the driver’s license didn’t match what I told them. I was able to get behind the counter where the money safe was at and had access to the network closet.

Tony: I would hope that management has more information on what choices they should make on how to run their business. At the end of the day it’s up to management to either accept the risk or spend money and time to make changes to reduce the risk. It really just depends on what they’re dealing with and the culture of that organization.

Final Notes from Tanner and Tony for Businesses:

1. Be familiar with your building.

2. Shred your trash.

3. If you see something, say something!

4. Respond quickly if you notice something unusual. Don’t wait for something to happen.

5. Test security controls on a regular schedule.

6. Make sure security measures, like cameras, are working.

7. Management should be training their employees on security protocol.

For more information on how you can test your organization’s physical security, reach out to a Pratum representative today to set up Social Engineering services.

Finding the best approach to security risks within your business.

Business is all about taking risk. Some risks will pay off, while others will come back to haunt you. Unfortunately, there’s no crystal ball to know which risks will be worth the potential danger.

The same can be said about cybersecurity.

Protecting your business from cyber-threats can be costly and time-consuming. There comes a point when a business goes too far to protect itself. Not every organization needs every security measure known to man. You have to determine what level of risk makes sense for your situation.

We’ve come up with some questions every business leader should ask themselves when determining what cybersecurity protection you need.

1. How Do I Determine Risk?

Every business has a certain level of risk they can tolerate before it threatens the future of the company. Determining risk is all about finding your unique tolerance level.

Look at the information your company is storing. Do you have client or employee personal information? Do you have intellectual property such as R&D, patents, etc.? Do you have access to your vendors’ critical information? Then, determine how that information is being protected.

Security professionals should be able to identify, document and explain the various security risks related to the use or storage of this information for you.  However, you as the business leader should make the decisions about how much risk to take.  Savvy leaders must consider all the risks, then sort through the noise to determine what really impacts business operations.

2. How Much Protection Is Appropriate?

Some risk is good! Risking investments to make money can earn you even more money. Taking on a new product no one else is trying could pay off with a new opportunity in an untapped market.

Knowing what level of protection your business needs is all about knowing your business well. If you pay for a lot of cutting edge security technology your company does not need, you might be losing money your business could use to grow. Over-protection might be the downfall of your company.

Consider this: If you live in a brick home in a wet climate, you are far less likely to face the risk of fire damage than a wooden home in a dry climate. Buying a robust fire insurance policy for the home in the wet climate would be a waste of money. Not having enough coverage for the wooden home would be too risky. Each home should have a plan designed for its needs.

Cybersecurity should be approached in the same way. The level of risk you can handle is always going to be dependent on the situation your business is currently in.

3. Am I Following the Crowd?

Getting advice and guidance from colleagues is a great way to stay up to date with the latest technology trends and threats. Those resources can be invaluable. However, following the crowd too much is dangerous. “Best practices” are not always universal truths when it comes to cybersecurity.

Having the same cybersecurity protection as everyone else may sound safe, but it’s not going to be the perfect fit for your company. Keeping up with the specific needs of your organization is your responsibility. There should be constant communication and analysis of your cybersecurity operations.

At the end of the day, it’s up to each business leader to decide what makes sense for their own company's interests. Consultants and colleagues can give great advice and valuable wisdom, but the final say needs to come from company leadership.

4. Do I Need Any Cybersecurity Protection?

Yes, but it varies. While you may not need as much protection as your neighbor next door, you always need to have some safeguards in place to protect your business. The three pillars of information security are confidentiality, integrity and availability. While each of these is important to every business, the blend that works for you will be unique.

Cyberattacks happen every day, and they target all levels of organizations. No matter how big or small your operation is, there are hackers looking to gain access to the valuable information you possess.

Risk What You Can, Protect What You Must

You will never be able to eliminate all risk. It would be too costly, and you would never accomplish anything! People take risks every day. Driving to work or eating food could be potentially dangerous, but some risks are more necessary than others. Some need to be more documented and calculated.

We all have a risk tolerance level, and so does your company.  Tolerance levels will fluctuate with changes in the industry, new cyber threats, and evolving leadership.  Recognize and understand these dynamics so you can stay ahead of the risks your business will face. 

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) has been in effect since the beginning of 2020. This new legislation requires certain businesses to disclose what personal data they hold to customers requesting that information. This is considered a landmark piece of legislation to secure California residents’ privacy rights. While it’s still unclear how much this legislation will impact businesses, there are rights set in place for what consumers can expect.

New Rights for California Consumers:

  • Knowing what personal information is collected, used, shared or sold.
  • Having the right to delete personal information held by businesses, and by extension business’s service providers.
  • Exercising the right to opt-out of sale of personal information. (Children under 16 must provide opt-in consent. Children under 13 need parental or guardian consent.)
  • Having the right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

So how will this impact the rest of the country? For one, California is not the only state to enact this sort of legislation. According to CNET, Nevada and Maine have already passed similar legislation and 11 other states are also considering privacy bills.

Another way it could impact more than just California residents is that some of the businesses complying with the CCPA are offering the same privacy rights to ALL U.S. customers, not just the ones who live in the Golden State. That means if you live in Iowa and want to know what a California business has on file about you, you may be able to find out and request it be removed from their servers.

How CCPA Compares to GDPR

While this new push for privacy may seem progressive to Americans, it’s been a part of European business practices for two years now and in a more aggressive way. The General Data Protection Regulation (GDPR) went into effect in 2018. The goal of the GDPR is to give individuals control over their own personal data. EU, EEA, and UK residents now have access to and can correct, delete, and export personal information. The GDPR also has more privacy controls in place, and much steeper fines and penalties for those who don’t comply.

These provisions apply to almost all organizations that collect data from EU, EEA, and UK individuals. That includes small businesses, non-profits, non-technology companies, and organizations operating outside of Europe.

The GDPR is also designed to make following regulations easier to comply with for groups working internationally. Under these parameters, organizations only have one set of privacy laws to understand and abide by, rather than a new set of laws for each country within the region.

Federal Privacy Law Potential

This sort of universal legislation may be something we see in the United States in the near future. With more states creating their own guidelines, there is talk of new, federal privacy legislation.

This possibility of federal privacy laws resembling the CCPA or GDRP is growing more likely after two U.S. Senators proposed legislation that would be stricter than the CCPA in some respects.  According to the Brookings Institute, Senator Roger Wicker (R-MS) and Senator Maria Cantwell (D-WA) proposed bills that place stricter limitations on algorithmic decision-making, biometric data, and data minimization.

Federal legislation has been reassuring to some businesses already following CCPA. The concern is that each state will enact their own privacy laws, making it difficult for companies to keep up with so many different sets of rules. However, even though federal law supersedes state law, some federal laws allow states to enact tougher requirements on top of the federal regulations.

Concerns Over Privacy Legislation

As with any significant change, there are some concerns being raised over the stricter privacy laws. One case out of Germany shows why the concerns may be justified. An Amazon Alexa user requested all of his audio files the device had picked up. Instead, he was given 1,700 audio files from the wrong home. Amazon blamed the mistake on “human error” and said it was an isolated incident.

That’s just one example of how requesting a legitimate customer’s private data could also be acquired by the wrong person. However, even when businesses try to avoid this sort of mistake, the possibility of critical information getting into the hands of a criminal is there. That’s why some California businesses are now setting stricter guidelines for customers wanting to access their own data.

A New York Times article outlines a recent situation in which a business trying to comply with CCPA hired a third-party vendor to handle the influx of customer information requests. The vendor started verifying these requests by asking customers to supply more identification. This was typically done by asking for images of customers’ driver’s licenses and even additional photos of customers’ smiling. This sort of extra information was concerning to some customers. In short, the business wanted more private data to release the customer’s private data.

It appears to be a cyber security cycle that organizations are still trying to figure out. What is designed to help protect your data could put you at risk of exposing even more personal information.

What You Can Do

Being that this legislation is so new, businesses could use early compliance as an advantage. Using the time and resources needed to become CCPA or GDPR compliant could put you a step above the competition. Touting an emphasis on privacy is appealing to many consumers.

Even if you’re not proactive with privacy for a business boost, you should start considering what compliance will look like for your organization. Companies should accept the fact that privacy rights are a growing concern and new legislation will be coming.

Here are a few steps your business should be taking now to get ready:

1. Designate a privacy officer, someone in charge of organizing the process to become compliant.

2. Be externally compliant. Update your privacy notice on your company website.

3. Think about data inventory. Know where information is located within your system.

4. Figure out how you will be able to obtain and report customer information when requested.

5. Decide on a verification process to ensure the data your giving out is to the correct person.

Figuring this all out may not be easy but getting to work on it early could save you a lot of issues and headaches later. Regardless if it’s CCPA or another piece of legislation, this is something many businesses will need to respond to. It’s up to each company to decide if they want to be proactive or reactive.

If you need help with objectives like inventory, security controls, process recommendations, or who to reach out to for legal compliance, Pratum representatives work with national and international businesses every day. A Pratum cybersecurity expert would be happy to help guide you through the privacy legislation process.

(References: https://www.cnet.com/news/californias-new-ccpa-privacy-rights-could-come-to-your-state-too/
https://www.brookings.edu/blog/techtank/2019/12/19/highlights-the-gdpr-and-ccpa-as-benchmarks-for-federal-privacy-legislation/)
https://www.reuters.com/article/us-amazon-data-security/amazon-error-allowed-alexa-user-to-eavesdrop-on-another-home-idUSKCN1OJ15J)
https://www.nytimes.com/2020/01/15/technology/data-privacy-law-access.html)
Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.