Physical Security Tips to Keep Your Environment Safer

Deviant Ollam talks about physical security weaknesses and awareness.

The biggest weakness in your security isn’t necessarily the lock. In fact, it’s often the person standing next to it. The world of physical security testing and “legal break-ins” reveals how easy it is for social engineering and misplaced trust to let a confident attacker past your barriers. And a lot of it has to do not with the security mechanisms themselves, but how you think about them. True protection isn’t just about hardware. It’s also about awareness.

See Anyone Can Walk In with Deviant Ollam for a complete transcript of the Easy Prey podcast episode.

Deviant Ollam is a physical penetration testing specialist with The CORE Group and Director of Education for Red Team Alliance. These days, he’s also a guy on the internet, posting on his YouTube channel and appearing as a guest on other people’s shows. He gets invited because of what he does, and what he does is break into buildings. As a physical penetration specialist, covert entry technician, and lock technician, companies hire him to break into places to test their security.

He had a hobby of lockpicking and learning about security hardware, but his career started in IT. One pivotal moment in his shift to physical security was doing IT consultation for a law office. When he arrived, they told him the server room was locked and they were waiting on a locksmith. After waiting for a bit, he asked them to show him the server room. He got the door open easily and got to work. Afterwards, they asked him what he did to the door, and he pointed out how the office’s doors didn’t latch properly and showed several lawyers how to break into their own offices. Later, they hired him to do a security audit of their office.

Physical Security and Security Theater

Deviant’s friend Bruce Schneier coined the phrase “security theater.” There’s a quirk of the English language that the word “secure” has multiple meanings. If you say “I am secure,” there’s a few things it could mean. It could mean that your door is locked with a solid mechanism and nobody’s coming in. Or it could mean that you feel secure. There’s a difference between being secure and feeling secure.

There’s the feeling of security and the actual objective reality of security. If being secure is someone’s goal, many times they might not feel secure, even if they are in a very safe environment.
Deviant Ollam

If you want to be secure in reality, you may end up being more aware of potential security issues and therefore feeling less secure despite being quite safe. Middle-class Americans stereotypically think there’s danger around every corner even though in reality they’re quite safe. Many people also want to feel secure, regardless of whether or not they actually are secure in reality. So when thinking about achieving physical security, it’s important to make the distinction between feeling and reality.

Symbolic Locks

One of the results of this security theater is that we don’t really designate “symbolic locks” from actual security locks. Take, for example, an electrical panel in a store located in an area customers can access. If a customer got curious or poked around in the electrical panel, they could be seriously injured. If there’s no lock on that panel, the store could be held liable. The lock on that panel doesn’t have to be a good lock. It’s not there to prevent all access, it’s there to communicate to people that they should leave it alone. If someone figured out how to get it open, they could still get electrocuted. But because the lock was there communicating that they shouldn’t do that, that’s not the store’s fault.

We don’t specify this designation very well of what I would call symbolic locks versus security locks.
Deviant Ollam

Another classic example is the office thermostat. Many companies put a plastic cover with a lock over it. People could still put a pen through the ventilation holes and change it, but the lock communicates they’re not supposed to do that. Same with a three-foot fence around a yard. Sure, you could easily hop over it, but it’s much harder to explain why you’re there since you had to know you aren’t supposed to be. It’s a symbolic demarcation of property.

Where people get in trouble with their physical security is getting a symbolic lock for something that needs real security. A symbolic lock works just fine for something like a gym locker. But a storage unit, which could have real valuables and might be unattended for long periods of time, has a much higher risk of someone actually trying to get in. Putting a weak lock on that is risky.

Choosing a Good Lock

If you need a lock that’s not just symbolic, it can be challenging. The United States doesn’t have many effective standards. Retail packaging of many products has ratings, but it’s all vendor fluff and relative to every brand. There are some standards like BHMA and ANSI, and Underwriters Labs has standards for high-security lock products, but those can be confusing. Deviant likes how it’s done in parts of Europe, where police and insurance agencies rate lock products on an easy-to-understand scale.

Deviant’s best advice is to purchase your locks from a reputable locksmith with an ALOA (Associated Locksmiths of America) number, ideally at a brick-and-mortar establishment. You can explain your physical security situation and ask what they recommend and why. They’ll give you some options and explain why they think it will work.

Locks Aren’t Everything in Physical Security

Deviant obviously has a lock on his house. But it’s not impenetrable. His concern is more about key control. He made 10 keys and labeled them all. In the family password manager, he and his wife track who has what key. In his neighborhood, someone is more likely to break a window, so he’s not too hung up on door security. You might live somewhere where they’re likely to try to pick your lock. Or if you’re trying to protect a warehouse full of equipment, you probably need to spend less time worrying about illicit key copies and more time worrying about people trying to smash their way in.

What you're trying to protect affects what physical security considerations you need to think about.

Some people talk about how great the lock is on their front door. But they don’t think about the fact that their doorframe is made of old wood. Nobody has to unlock that door – if they kick it hard enough the frame will break. In both the locksmith world and the security assessment world, security is best in layers. You don’t have to prevent every attack, and nobody can. But your security measures should delay an attacker and make them consider if it’s worth the effort.

You don’t necessarily have to prevent all attacks, and no one can prevent every attack, but your security … should delay and deter an attacker.
Deviant Ollam

Think about a safe, for example. It’s not something you put valuables in so they can never be touched. It’s a container designed to make criminals think about whether or not it’s worth the reward. It takes time, effort, and tools to get into a safe. Do they want to spent twenty minutes and make a ton of noise to get in? Probably not. It won’t defeat a determined attacker, but it will delay and deter most.

Testing Physical Security

When a company hires Deviant to test their physical security, his first step is always to figure out who the stakeholders are. Sometimes there’s internal politics going on within the company. There’s a lot of emotional work involved with delivering the message in such a way that nobody looks like the bad guy and nobody looks foolish. There are also situations where a company wants something that will interfere with an external stakeholder.

For example, a company might be on the fifth floor of a building. They probably don’t own the whole building, and the building management company is responsible for the security in the lobby and the elevators. This company wants Deviant and his team to break in from the street. In their head, it’s all security. But they don’t pay those guards or maintain those systems. Often, what Deviant will do is talk to building management and do a walk-through of the lobby. He may even give management some free tips about how he could exploit the lobby or the elevator. Then he’d tell the client that an attacker definitely could get through, and continue the test on the fifth floor.

Some people in this physical security testing industry have had bad experiences. There was even one famous incident where the technicians got arrested and had to deal with a court case. To avoid that, Deviant often reaches out to local law enforcement to explain that they’re going to conduct some security tests, so reports of something going on don’t have to be priority. Local law enforcement is always glad to know what’s going on. It also makes it easier to diffuse potential situations with law enforcement when you can name the local sheriff and say he knows what’s happening.

Reporting Suspicious Activity

In some scenarios, clients ask Deviant to repeatedly infiltrate the company, getting more and more obvious each time, to see what point employees say something. He’s gotten surprisingly far. In one instance, he was trying to open a secure cabinet. It was the middle of the day during office hours, and he was kneeling by the cabinet making a lot of noise while badly picking the lock. An employee at the desk next to the cabinet asked what he was doing. Deviant asked what it looked like. The employee said it looked like he was trying to pick the lock. Deviant responded, “Yeah, sometimes you have to do that.” It wasn’t the kind of response someone would expect from a thief, so the employee didn’t question further.

He’s also had plenty of incidents where he’s sneaking around after hours, someone sees him, and he hides somewhere. The most common resolution to those incidents is the person looks around a little bit, can’t find him, and goes back to their desk. Once, someone sent an email saying that there was a suspicious person, but they didn’t see him anymore so he may have left the building.

If you want your employees to react to these kinds of scenarios, you have to have a physical security response plan. When digital security was getting started, pros would ask employees what to do if they thought they saw a hack or phishing. A lot of people would say they didn’t know, or they’d call the help desk, or they’d tell their boss. The cybersecurity field had to push the idea of having a contact to report it. If you want people to report something, you have to train them on what they should report and give them a place to report it to.

Identifying Suspicious Activity

When Deviant breaks into companies, he hopes not to run into anybody. But if he does, he has a cover story prepared. Sometimes it’s that he’s with another branch or office of the same company. Sometimes he claims to be with a local utility company, servicing the printers, or working on the elevators. He throws in enough jargon to should like he knows what he’s talking about. Most of the time, he’s interacting with someone who isn’t responsible for the elevators or printers or whatever else, and they don’t want to interfere with legitimate work getting done.

Deviant likes the idea coined by Rachel Tobak of Social Proof Security of being politely paranoid. You can be polite while still challenging someone to give more details and prove they’re supposed to be there. Any time someone wants you to hurry up, be cautious. It’s just like a magic show – if they can get you to rush, you’re not as cognitively engaged as you are normally. But you have the right to ask someone to clarify things or verify what they’re saying.

It’s just like any other kind of consent. If you’re on a date and the person insists on buying you another drink even though you said no, that’s a problem. Consent is also important here. If someone is trying to hurry you past something that makes you uncomfortable, that’s a warning sign. Be polite, but a little suspicious.

If someone’s trying to hurry you past anything that makes you uncomfortable, that should raise that [red] flag.
Deviant Ollam

Find Deviant Ollam with The CORE Group or Red Team Alliance. Red Team Alliance has one of the longest-running trainings in the industry, and would love to train you if you have an interest.