Having a strong Physical Security plan, strengthens the overall security design of your organization. Physical security is often the entry point into a company. By locking down the physical access of your company, you can be more proactive in focusing on strictly cyber threats. A strong physical security design will protect the assets and persons of the firm, it will allow only authorized individuals to use the systems, and it will ensure the proper monitoring of resources. This monitoring can prevent others from trying to attack your organization.
A robust Physical Security plan can deter cyber criminals. Just knowing that you have guards, cameras, controlled access to your facilities, will make the job of a would be criminal, hacker or pentester more difficult. Many times, these folks will look for low hanging fruit, rather than try to break into a heavily fortified fortress. If they notice that your building is locked down, they will probably first try somewhere else where they can get in much more quickly and without surveillance. They would rather have an easy jackpot than having to sweat for hours trying to get into a building while being videotaped and evading guards, knowing well that they are very close to being caught. It’s a basic control and one that is fundamental to improving your overall security.
Physical Security Controls help prevent other types of cybercriminal, pentesting, hacking from occurring. Why is that? It’s much easier to “Own” a network when you are physically inside or have access to a computer or server directly rather than over the wire. If you have physical access you can and very soon will, if you have the right skills “Own” the network.
With physical access you can disable other security features, disable monitoring, reconfigure the firewalls, cause a DOS on a major application if it’s hosted locally or exchange for example. You can eavesdrop or enable wire sniffing, once it’s setup you can monitor it remotely. Insert USB Discs on a server and reset the admin password on a server, take the hard drive off the Domain Controller and run an offline attack on the password database.
With Physical access you can go to the executive’s office and copy all their files, make fake badges to come back in the future, steal confidential files. You get the picture. If you are physically in a company, you are in the network, and there’s a good chance with the right skills that you can own a new piece of cyber real estate.