As Dylan was walking into the MarchFit offices, his cell phone rang. It was an automated recording from his pharmacy, so he put the phone up to his ear and listened. Ahead of him a man held the door open to the South MarchFit corridors for a woman carrying a potted plant. As Dylan walked past the security desk, he could see two monitors displaying sixteen cameras each, but the pictures were too small for him to be able to tell what was going on in the images. The security guard was speaking with a woman at the other side of the desk, not looking at the cameras or the entrance or Dylan. Dylan continued to walk toward the entrance when another security guard walked through the door. Dylan followed him in without swiping his badge, which he realized was still in his pocket. He wasn't even displaying his ID like he was supposed to at all times while he was in the building.

Inside the security door was a vestibule for the elevators. The security guard got into one of the elevators and held the door open for Dylan, but Dylan waved him off, pointing to his cell phone. The guard nodded and the elevator doors closed. On the opposite side of the room, there was another card swipe on the door leading into the secure office space beyond. This door was propped open and Dylan could see a water delivery man rolling a cart full of bottled water down one of the aisles. Dylan walked through this door as well.

Dylan knew his way around the offices by this point, but he hadn't been at the company long enough for most people to recognize him. He wondered how far he could make it inside the office before someone stopped him. Would anyone stop him? He pressed the end button on the call—the recording had already repeated twice—and continued walking.

With the phone still against his ear, Dylan walked around looking at the hallways as though it were his first time there. He noted the locations of the cameras embedded in the ceiling. Although he couldn't tell which direction they were facing, there seemed to be paths he could take where he wouldn't be seen. He walked past a room that had several printers with office supplies lining the walls. There was a stack of printed documents waiting to be picked up. There was a recycling bin full of documents next to the printer. Dylan couldn't read them as he walked past, but this made him wonder if there were any locked shred bins where sensitive documents could be placed. He didn't notice any as he continued his unsupervised tour.

He walked down one hallway closer to the R&D labs where either side of the hallway was lined with six-foot-tall filing cabinets. The keys to each of the filing cabinets were conveniently located inside the locks at the top center of each cabinet. Dylan realized that if he locked the locks and walked away with the keys, he'd be doing a kind of analog version of ransomware.

At the end of the hallway was a glass door with the red light of a card reader flashing. A dull hum was reverberating from the air conditioning behind the walls, and he realized that this was probably the door to the MarchFit data center.

An engineer walked out, and Dylan trotted quickly toward the door. The man actually stopped and held the door open for Dylan before it could close. Still on the phone, Dylan nodded to the man, and he continued down the hallway.

Dylan was greeted by the arctic air coming out of the data center room. He let the door close behind him and took the room in. It was probably around a thousand square feet—not the biggest data center he'd ever been in, but then most of MarchFit's operations were done in the cloud. There were several rows of cabinets full of the flashing lights of servers, storage, firewalls, routers, and switches. Many of the cabinet doors were slightly ajar. There was a plastic cart sitting next to the door and Dylan briefly contemplated removing one of the servers and walking out just to see how long it might take for someone to notice.

A server admin walked around the corner and almost bumped into Dylan. “Oh, excuse me,” the man said. “Were you looking for someone?”

“I was supposed to meet Noor here, but I'm a little early,” Dylan lied. “I'll just meet her in her office,” he said, and walked out of the data center.

Dylan walked into the briefing center to find that the team had started their meeting without him. Aaron was reviewing the five design principles with the team and had displayed the principles on the video wall:

1. Define the protect surface.
2. Map the transaction flows.
3. Architect a Zero Trust environment.
4. Create Zero Trust policies.
5. Monitor and maintain.

“We've gotten through a few practice protect surfaces, but I think now it's time to move on to a learning protect surface. We'll need a protect surface with a little more complexity. Anyone have a suggestion?” Aaron said.

“How about we look at our physical security,” Dylan said, sitting down and opening his laptop.

“I think that's an excellent choice,” Aaron said.

“I thought we wanted to work on systems that didn't matter if we break them,” Brent said. “Wouldn't people get really mad if we locked everyone out?”

“Actually,” Harmony said, “the card readers are designed to work when the network is down or even in a power outage. I think the card readers have a local database, so they'll remember the permissions of people who had gone through the doors recently. Worst case, we can just prop the doors open like we did during the incident.”

Dylan began to explain his experiment with physical security earlier in the morning.

“That's brilliant,” Nigel said. “I didn't know you were so sneaky.”

“That's just it—I'm not. I was just distracted,” Dylan admitted.

“Physical security is the perfect analogy for Zero Trust,” Aaron said. “It's easier to talk about since we're not talking about imaginary invisible things. And I think people instinctively understand security. Security is a part of why we come together as a social animal: We come together for mutual protection. As much as we talk about how Zero Trust does away with the perimeter, it's still important for us to have a foundation to talk about. So my first question for the group is where does physical security start?”

“Is it the doors to the building?” Brent asked.

“What about the fence around the property?” Rose asked.

“Or the camera system?” Harmony offered.

“What about the security guards?” Nigel asked. “Anyone could hop the fence if there weren't guards behind it.”

“You guys are all talking about elements of perimeter security. That makes sense in the physical world where a human has to go through the perimeter to get inside a building. But that's not the way things work in cyberspace. Ask yourself what would happen if someone invented a teleporter like in Star Trek. Those perimeter controls would still be important, but you'd need to shift the way you thought about security. The answer to this in Zero Trust is the protect surface.”

“What does that mean? How do we change the perimeter?” Brent asked.

“That's the question we need to ask for every protect surface. So for physical security, we need to understand what it is that we're protecting. Is it the life safety of the people in the building? Is it the servers in the data center? Is it the computers? Or the paper documents?”

“Isn't it all of the above?” Dylan asked.

“Yes and no,” Aaron answered. “Again, physical security gives us another great analogy for Zero Trust. Inside the building, we create different areas where we allow anyone to roam freely. If you get access to the office areas, you can go to any one of the many cubicles. That's an example of containment. If something bad were to happen, we have contained the blast radius of that damage to one area, but hopefully other areas are still safe. In this example, we place the controls adjacent to the things that we are protecting. We put cameras and fire suppression and card access around the data center, but maybe we don't need all of those things at the perimeter of the facility in the parking lots. But that's exactly what we're doing in cybersecurity when we put a firewall by the Internet and call it a day.”

“Doesn't that just mean we need better firewalls?” Brent asked.

“Unfortunately, there's this secondary attack surface. It's called the internal network.” Aaron laughed at his own joke then continued. “When we research incidents, there's this concept called dwell time. We want to know how long the threat actor was in your network before they were discovered. When you haven't done any containment, the dwell times will be very long. Sometimes cybercriminals have been reported to have been inside a network for six months or a year before they are detected. For MarchFit's physical security, you do have different areas and security checkpoints. Dylan was noticed pretty quickly once he reached the data center, but he could have spent a lot of time in the office areas before he was noticed.”

Harmony folded her arms and leaned back in her chair. “So if I'm understanding you correctly, the idea with Zero Trust is that we move the controls away from the perimeter to the smaller protect surfaces. And that allows us to use much more granular controls that are specific to each protect surface?”

“Well said, Harmony,” Aaron said. “And those smaller protect surfaces allow us to change our policies more rapidly. If you had the president come for a visit, you might restrict access to certain areas where employees might normally be able to go, for example. We still have monitoring via closed-circuit television cameras that monitor the perimeter so we can alert on when things come in and out of the building, just like we want to log all of the traffic coming through our firewalls.”

“But what about the air ducts, like in Die Hard?” Brent asked.

“It turns out that we have a great physical security resource already onsite,” Aaron continued, ignoring Brent's question. “Let me ask Noor if we can borrow him.” Aaron typed a message into his phone. Several minutes later, Peter Liu knocked on the door to the executive briefing center (EBC) and walked in.

“You guys needed me?” Peter asked.

“Peter, nice to see you again,” Dylan said. “How's the recovery effort going?”

“We opened the file that 3nc0r3 released in a sandbox, and it looked clean. Noor and her team are reviewing the data to see if it's legit and hopefully will find where it came from,” Peter said. “But I thought you guys had a question about Zero Trust? I'm not sure if I'm going to be much help.”

“I wanted to see if we could pick your brain for a bit about physical security,” Aaron explained. “You guys know that Peter is the lead security consultant helping with our incident response, but I knew him at a previous company where he got his start as a penetration tester. He had a real knack for breaking into some of the most secure facilities in the world.”

Peter shrugged. “What happens in Vegas stays in Vegas.”

“Let's talk about the transaction flow for what happens when you swipe your card,” Aaron said. “How would you take advantage of the trust relationships in the card reader system to get into a building?”

Peter looked thoughtful for a moment, then held up his visitor card. “MarchFit uses a proximity card system. I've not looked at what you guys are doing, but assuming the cards aren't encrypted, you can buy a cheap RFID cloner on Amazon. I'd just clone the badge of someone with access and I'd be in.”

“What? Really?” Isabelle asked.

“Assume for a moment that the badges are encrypted. What trust relationships would you look to exploit then?” Aaron asked.

“There are still some ways to get around encryption,” Peter said. “If I were a nation-state, I might hack the card reader company.”

“How would that help?” Brent asked.

“Most card reader companies use the same encryption key for all their clients. You have to ask very nicely with a cherry on top to get your own unique encryption key,” Peter explained. “So if you're wearing a tinfoil hat, you can expect a CIA agent to go wherever they want. But short of that, I'd want to look at the card readers themselves.”

“You can hack our card readers?” Harmony asked.

“That wouldn't be my first choice,” Peter laughed. “Depending on the card reader, I'd have a couple of options. Given the age of the building, I'd expect that these card readers aren't on the network. Older card readers are usually wired back to a control panel, and for the most part older card readers use a protocol called Wiegand, which was created back in the 1980s. There are YouTube tutorials about how to fit a small tap behind the card reader to collect all the unencrypted card credentials, and you can use that to get access.”

“There's no way to encrypt that data?” Dylan asked.

“There's a newer protocol called Open Supervised Device Protocol, or OSDP, that supports encryption, but not every card reader supports it. You'd have the same issue if the card readers were on wireless or wired network connections. You still have to enable encryption. Often I find that most of the physical security integrators that install the card readers don't configure them securely. They're just there to do the install as quickly as possible. And they don't want to come back, so they'll also configure those systems for remote access. So I'd look to see if I could find a way just to get in remotely and give myself all the access I want.”

“You've really done all that?” Harmony asked with a hint of envy in her voice.

“It's all about finding the easiest way in. If I can get a job as a cleaning person or pretend to be one, there might not be much technical acumen needed. Let's take a field trip,” Peter said, standing up and moving toward the door.

The group followed him down the stairs to the security desk in the main lobby. There were two computers. One was running the card reader system and was configured to print visitor badges. The other had dual monitors displaying a number of small CCTV streams. The security guard initially walked over to the group and asked, “Can I help you?”

“Can we talk to the person who runs the security computers?” Peter asked. Nodding, the security guard at the desk picked up his radio and said something into it. While he was talking, Harmony sat down at the computer and started clicking.

Before the security guard could say anything, Harmony exclaimed, “This computer is running Windows 7?”

“How long has that OS been end-of-lifed?” Brent asked.

“I don't understand. Our support team completed the Windows 10 upgrade project a couple years ago,” Isabelle said.

“These computers probably aren't on the domain. They're supplied by the security installer,” Peter said. “This is pretty common, unfortunately.”

“But they're on our network,” Harmony confirmed by running the ipconfig -all command from the command prompt. “These PCs are on the same network as the rest of the workstations.” Then she ran the netstat command. “Wait, is this desktop also the server running the card access software? It's connecting to a bunch of local devices also on the user subnets. We put the card readers on the same network as everyone else?” Harmony asked, shocked.

Unfortunately, Peter said, “if there's not an infrastructure team that knows that they can push back and design the network with Zero Trust in mind, your physical security integrator will do what they can to get the computer up and running.”

“Let's talk about process,” Aaron said, turning to the security guard manager who had come out of his office on the inside of north MarchFit. The guard was several inches taller than Dylan and was wearing a dark blue uniform with the security company logo embroidered on his sleeves. His badge read “Glenn.”

“When a new employee starts, how do you get their badge ready?” Aaron asked.

“We'll get an email on Friday letting us know a new employee will start on Monday,” Glenn answered, folding his arms. “We ask for ID when they show up, of course. Then we take their picture.”

“How do you know what parts of the building they need access to?” Peter asked.

“We just give them the basics unless HR says they need to get into other places. We just hit this drop-down menu here,” he said, pointing to the screen, “and we pick the door groups they need.”

“Can anyone just sit down at the desk and start typing?” Dylan asked.

“There's always someone sitting at the desk,” Glenn said defensively.

Dylan remembered his first day where there was no one at the desk but chose not to say anything. Instead, he asked, “When you change shifts, do you have to log out of the computer and the new guard logs in?”

“Oh, no. That's way too complicated for the crew. Not all my crew knows how to open the camera or card reader windows. Just too technical for some,” Glenn explained. “We have to keep the windows up or else things get really confusing during shift changes.”

“What happens if something breaks?” Dylan asked. Aaron nodded as Dylan asked the question, like he was about to ask the same thing.

“Oh, we have the number of the company that manages the card access system. They have some people that can get in remotely to get everything working again. They're really fast,” Glenn said.

Harmony sat down at the desk and started looking at the computer. After a few seconds, she said, “Oh crud. They've installed their own remote access software.”

“Why is that bad?” Rose asked.

“It's really easy for bad guys to get in using that software. We should probably shut that down. Right, Aaron? Dylan?” she said, looking to the two of them.

Aaron nodded but held up his finger. “Just a few more questions before we get to the architecture conversation,” Aaron said. “What do you do for visitors?”

“Oh, you should know that since you're wearing a visitor badge.” Glenn pointed out the visitor tag Aaron was wearing.

“Let's explain the process for the folks who don't know,” Aaron said.

“It's just like the process for giving employees badges, except it's temporary and the cards are reused. We have to have a regular employee sponsor them and supervise them while they're in the building. We make a copy of their driver's license so we have it on file if we find out something happened later,” Glenn said.

“Do you have any problems with the cameras?” Dylan asked, pointing at the other monitors where the cameras were being displayed.

“Oh yeah. All the time,” Glenn said. “We have to get a ladder to reboot some of the cameras when they freeze up.”

“How often do they freeze?” Dylan asked.

“The bad cameras? At least once a week. But you never know which ones are bad. We have to watch the guards on patrol and check in with the radios to see if the image has frozen. I usually have the night shift do that. But sometimes we go back and find that the recordings are missing too. When it happened the first time, I thought it was that hacker, but it turned out the disk was full.”

Harmony pulled out her laptop and began typing at a command prompt. Then she pulled up a web browser and after a few clicks, the camera facing the security guard desk was showing video on her screen. “The cameras are also on the network,” she said. “I took a wild guess, and the password for the cameras is MarchFit.”

“I think you'll find other building automation systems or air conditioning have similar configurations. The contractors come in and their only requirement is that they get the system working. There isn't any accountability to them if the system isn't secure. The organization needs to provide this through contracts and oversight,” Peter explained.

“This is one of the first lessons we need to take to heart when it comes to Zero Trust,” Aaron said. “When we think about transaction flows, we're not just talking about how packets get from point A to point B. We also need to think about the business processes and relationships to give us the big picture. Let's head back to the EBC to think about what controls we put in place to address the problems we've discovered.”

The group walked back upstairs, but Peter paused at the entrance and stopped them from going in. “I've got one last thing to show you. When we exited the EBC, there was a motion sensor placed above the door that automatically unlocked it. That makes it more convenient than having to press a button to get out, but there's a problem with that.” Peter pointed up through the glass, and they could see the green light on the sensor. Peter began folding a piece of paper he had in his pocket into a paper airplane. He slid it between the small gap where the glass of the door met the glass of the wall of the EBC, then lightly tossed it into the room. It glided a few feet before landing, but that was just enough to trigger the motion sensor. Peter opened the door without swiping his badge, then bowed like a magician as he held the door open for the team.

Once everyone was sitting back in the EBC, Aaron pulled up a web browser on the video wall and went to a website called Shodan.io. He searched for the IP addresses that they saw on the guard's computer, and a huge list of devices was displayed. Aaron clicked on one of the IP addresses, and it showed a lot of detail about the device. “There's a lot of information freely available on the Internet about the devices MarchFit has on its network. It sounds like Harmony had some ideas on what we can do to improve our architecture. Harmony?”

“The first thing I'd want to do is to move all the cameras and card readers onto private addresses. I also don't think the cameras or the card readers need to be on the same network as other devices. We can put them all on separate non-routed networks so no one can get to them.”

“That's a great use of microsegmentation,” Aaron agreed.

“What's that?” Isabelle asked, turning her chair to face Aaron.

“You've heard the phrase ‘never put your eggs in one basket’?” Aaron asked. She nodded and he continued, “Microsegmentation just means we're putting different kinds of eggs in different baskets to keep them separate. What else would you guys want to do?” he asked, looking around the room

“Maybe have different passwords for each camera,” Rose suggested.

“That's a good suggestion,” Aaron said, “but we also want to consider the complexity of managing all those different passwords. Do the guards need a password vault? Can the camera management company manage that? That's a good transition to creating Zero Trust policies. MarchFit has some good policies in place for sponsoring visitors. And generally speaking we expect people to wear the badges in a visible place. What suggestions do you have for other areas?”

“Maybe we should have the guards have separate logins to the camera and card reader system in case someone walks up while they're distracted,” Dylan suggested.

“Can we put up posters reminding people not to tailgate?” Rose asked.

“Excellent suggestion,” Aaron said.

“We definitely need a better process for having the management company get remote access into those systems,” Harmony said. “Brent, can we get a sponsored account for them? They can at least use VPN to get in. And for goodness’ sake, we should be running a current operating system.”

“What about the time of day?” Nigel asked.

“It's not even close to lunchtime,” Brent answered.

“No, mate,” Nigel corrected. “Can we change the access policies based on the time of day? Maybe some people don't need access after hours or on weekends. That's policy, right?”

“Right you are,” Aaron confirmed. “And when we talk about monitoring, we might consider additional alerting if someone unexpectedly comes in during one of those times.”

“For the monitor and maintain phase,” Dylan began, “if we had guards using unique logins, we'd have better audit trails when something changed.”

“That's definitely a best practice,” Peter added. “I'd also suggest sending physical security logs to the SIEM. You can use card swipes as behavioral triggers to help make determinations based on whether employees are in the office or working from home.”

“Is there a way to integrate the camera system with the card reader system?” Rose asked.

“That's a great idea,” Peter said.

“Why would we want to do that?” Brent asked.

“I've seen it done before,” Peter said. “When someone swipes their card, their picture pops up on the video screen so the guard can verify that it really is the person in the video. Not every video system is compatible, so we'd have to check to see if there's an API between the two systems.”

“I've got an idea,” Isabelle said. “Can we send emails to sponsors when visitors go through doors? That might be helpful if someone wanders away.”

“That's a wonderful suggestion,” Aaron confirmed. “I'd also suggest that we have the card reader system produce daily or weekly reports to send to staff who are responsible for certain areas like the data center. But you guys missed one of the biggest issues.”

The group was silent for an uncomfortable period of time. Dylan finally broke the silence. “What did we miss? I can't think of anything.”

“The security guards have a problem with several cameras that aren't working correctly. They have a process for incident response when they see an issue happening. It's good that they are able to reboot them, but with Zero Trust, we need to get to the root cause of an issue to proactively prevent the problem from happening again,” Aaron replied.

Key Takeaways

You can't have cybersecurity without physical security. If a threat actor can walk into your data center, it's game over. With today's card readers and video surveillance systems, however, you can't have physical security without cybersecurity.

Cybersecurity controls for physical security systems are often overlooked. Often, these controls are installed by third-party integrators as a part of a new building construction or when a company moves into a commercial real estate space. Many times, a different third-party security guard company will be in charge of using that system day to day. When so many different groups are involved with a system, it's often difficult to secure because no one group is responsible for the security of that system. A big part of identifying a protect surface is understanding who has responsibility for that system.

You don't need to know how to pick a lock to get access to a secure facility. As mentioned in this chapter, some penetration testers will clone a badge using an inexpensive RFID cloner. Sometimes there are even easier ways like sliding a piece of paper under a door to trigger a motion sensor that automatically unlocks a door as a convenience to employees. Sometimes the building HVAC system creates too much air pressure in a room and doors don't close properly. And sometimes, employees prop doors open for convenience.

Physical security is the perfect analogy for Zero Trust. When designing physical security controls, we naturally place controls around the things we're trying to protect. When organizations perform physical penetration testing, they are often surprised to discover the simple methods that criminals can use to get complete access to a facility. But because of the fault tolerance built into these systems, they can be a part of a learning protect surface without concerns about taking the whole system down.

Several different transaction flows need to be mapped as a part of the card reader process. First, the process for a card reader processing a card swipe. Then there is the process for assigning credentials. Finally, there should be a separate process to help visitors get temporary access to company facilities. This chapter focused on the transaction flow mapping portion of the Zero Trust design methodology, and it's important to note that there can be multiple transaction flows within a single protect surface. Some protect surfaces may include multiple applications, as the example in this chapter did with both card access and closed-circuit television (CCTV).

Many organizations today employ proximity badges for employees so that they can just tap their badge on a reader rather than use a magnetic card swipe, although magnetic stripe readers are also still in use today. The identification information on a magnetic stripe card can be easily read so long as the card is swiped, so a threat actor needs to have physical possession to make a copy. However, RFID cards can be copied at a distance, exposing the credential, unless the cards are encrypted. While some proximity cards may be encrypted, there are ways of getting around that. Card production companies may use a single encryption key for all their cards, for example. Often the card readers are connected to a control panel and many card readers aren't configured to use encrypted communications between the card reader and panel, so a criminal could place a tap behind the card reader to steal user credentials for later access. Other card readers use Ethernet or wireless communication, and these channels also need to require encrypted communication.

Often card readers and cameras are placed on public networks that can be reached by other devices both inside and outside an organization. Search engines like Shodan allow easy scans of vulnerable IoT devices like cameras that are exposed to the Internet, and devices like this are routinely compromised as an entry point into corporate networks. For this reason, card readers and cameras are both good candidates for a Zero Trust concept called microsegmentation.

In many corporate networks, all networked devices—including computers, printers, card readers, cameras, air conditioning systems, etc.—are placed on the same network or virtual local area network (VLAN). In this standard configuration, a computer can communicate with a printer, but it can also connect to a video camera or be used to take over the air conditioning system. In other words, by placing all of the devices on the same VLAN, we are saying that we trust all of these devices to communicate with one another.

Microsegmentation creates smaller VLANs or zones where only devices that need to communicate with one another are allowed to be located in the same zone. Employee computers are placed in one zone, whereas printers are placed in another zone and only the network traffic that we expect to be sent to a printer is allowed. For physical security, only devices that have a need to connect to card readers or cameras should have access—usually the card access servers or the video archive servers. Because the security guard's workstation is not a trusted device, it is not allowed to talk directly to the camera network. Instead, it should communicate with a hardened intermediary server designed to allow access to only the cameras the guard has been authorized to view.

The security guard mentioned experiencing issues with the system and sometimes ignoring those alarms. They know how to fix the issue when a camera freezes, but they never addressed the root cause of the problem.

There's a big difference between incident management and problem management. Incident management is all about the processes you use to respond to incidents in real time. Cybersecurity teams are often built around having mature incident response processes and plans to be prepared when bad things happen. Problem management is focused on finding the root cause of why whole categories of incidents occur and preventing them from happening. If an organization focuses exclusively on incident management without addressing the underlying source of the issues, the risk is that they'll be stuck in firefighting mode. A team can become desensitized to alarms and bad things can slip through. The reason that Zero Trust is successful is that it addresses the underlying source of incidents—trust. Zero Trust attempts to help prevent or contain future incidents through problem management.