Does Your Office Miss You?

The New Normal

It's no surprise that we live in a digital age. Particularly in this COVID era—where the majority of the workforce is connecting from home—securing our Internet-accessible resources is critical. And while we could write about best practices for securing your brand new remote WFH environment, we'll save that post for another day. Instead, we wanted to draw attention to a potentially neglected, dare we say all-but-abandoned, piece of your infrastructure, that vacant office. What was once abuzz all week long, is now sitting stagnant, dormant, and ripe for the picking from attackers.

With this post, we'll touch on a few of the different threats we cover in our enterprise security assessments that review organization security, both online and in the real world. In our experience, these neglected offices haven't been receiving the equal attention or scrutiny that the 'securing your WFH workforce' movement has enjoyed. With most, or all, employees connecting from home, what does this mean for our physical offices? After all, what good is applying multi-factor authentication to our VPN portals and implementing the latest endpoint protection solution, if the doors into our [empty] offices are still open from 7am-7pm five days-a-week?

Here is a short list of things you can do to today, to review/enhance the security of your physical offices:

Are Your Doors Still Open?

It's not uncommon for office spaces to automagically unlock during normal business hours and lock again around 5pm. During the day, our staff can act as a deterrent to would be bad actors, but in their absence, what's stopping bad people from doing bad things?

Whether you own your office building or utilize a building management company, reevaluate your auto-unlock and alarm schedules (don't forget holidays) to account for the chaos that is 2020. Speaking of holidays [in general], make sure there is a process in place to adjust the auto-unlock hours to account for these departures from the norm. For example, if Christmas Day falls on a weekday (hint, it's a Friday this year), will your office doors be open at 7am while everyone is enjoying the day off?

Finally, make sure your access control system is logging activity into [and out of] your building/suite/etc. on a protected and remotely-accessible system.

Perform Reviews of Security Controls

Many corporate office buildings these days are designed to be aesthetically pleasing and often that comes at the cost of security. Ever see a waist-height turnstile? Suffice to say, construction mandates of 'pretty' and 'rushed' don't always add up to a secure implementation; thus, a double check of our physical security controls (e.g., locks, alarms, keypads) is in order. Said differently, we break into occupied companies (with permission) all the time; usually we are hurried and trying to avoid detection. Imagine what a determined threat actor can do with more time and less scrutiny. Bottom line: make sure your sensors sense and your locks lock.

Disconnect Easily Accessible Ethernet Ports

Common areas, lobby phones, conference rooms, IP cameras, all potential entry points into your network. Who's watching them? Would you know if someone plugged into one of them? Maybe it's just best to disconnect them at the patch panel if they can't be controlled or monitored and aren't serving a purpose during the pandemic.

Pro tip: Don't forget telco closets and electrical rooms outside your suite that may offer an attacker LAN connectivity.

Disconnect WiFi

Similar to physical networking, if no one is in the office, can we spin down the wireless networks until offices start to open back up? With access to the WiFi, attackers don't need to set foot in your suite, may not even your building. Even if your wireless networks are password protected, they could be targeted by an attacker, and potentially exploited to gain access to local resources. Consider this chain of events: an attacker gains access to the WiFi then identifies, accesses, and disables your building access control/monitoring systems. What could they do then with no one watching?

Pro Tip: If you can't disable the network, can you turn off advertisement (broadcasting the SSID)? It won't completely solve the problem, but it's a start.

Bonus Pro Tip: "Corp LAN" is a more enticing SSID target for an attacker than "HP MFC Laser Printer."