How to Perform a Physical Security Risk AssessmentPlans Require Crime Stats, Walk-Throughs and Constant Vigilance
And because the physical aspect plays a role in so many facets of security, from preventing bank robberies to foiling inside threats, risk assessment can be a challenge.
"Whether it is PCI, or CoBIT, [physical security] is even tested under most SOX engagements, but it is very much taken for granted," says Bruce Sussman, senior manager at Crowe Chizek. "It appears simplistic, but it isn't. It sometimes can have a surprising amount of deficiencies."
Some of these deficiencies are because of heavy workload or lack of staff, i.e. someone leaves the institution, yet either their passkey or pass card is not returned, or access credentials are not removed from the systems. "I see this consistently as a problem in the institutions I visit," he says. "This means that someone else could go into the system, and if they knew the person's login and password they would be able to access the system under the former employee's account."
What if a determined social engineering effort was being attempted against your institution? "That's when the breakdown of physical security, as I've just described, would become highly significant," Sussman says.
Events that Trigger Risk Assessment
Physical security risk assessments often begin after an event such as a bank robbery, notes Larry Brown, Senior Vice President and Director of Risk Management for First Citizens BancShares, [NASDAQ: FCNCA] a bank with more than $16 billion in assets, 5,000 employees and more than 400 banking centers in 15 states.
Brown and his team use a number of tools to assess physical security risk, including law enforcement crime data available on the geographic location of a branch. Depending on the level of automation and technology available, Brown's security team may have access to spreadsheets and reports. If it's a smaller police department or local sheriff's office, the team talks with them to ask what types of crime they're seeing in the area and what the response times are like for that department when a crime is reported.
"Along with that, we look at our own crime statistics and those of our peers in the area," Brown says. "While bank robbers are a little different breed, we also are cognizant of different types of crimes. If a bank robbery has occurred in a location -- it also would be something to look at what other types of crimes are happening during the dark hours when a bank is closed."
Commercial reports from companies such as the CAP Index and Raptor can also be used to augment law enforcement reports, Brown says, "They are not a silver bullet, but should be used to help validate what the institution thinks crime will be like in a certain area."
Along with performing physical risk assessments after an event, institutions should partner with local law enforcement, collecting information about what equipment and procedures worked, and what didn't. "This is something institutions want to know, and it is helpful when making spending decisions," Brown says.
Brown hesitates to divulge details of the bank's risk assessment process because of the potential that the information could be used against the bank. His rationale: 18 months ago, a magazine published an article called "How to Rob a Bank." Within two weeks of that article running, one of his banks was robbed in North Carolina. "We could tell by the video that this guy had read the article, based on his behavior and body movements," Brown says. Despite reading up on the subject, Brown said the robber was in custody within 24 hours of the crime.
An 'Army of One'
Dennis Weiskircher heads a one-man information security department at Citizens Bank in Mount Vernon, KY www.citizensbankrb.com. Because of limitations and timing, he performs a combined logical/physical security risk assessment once a year. In his role as IT Manager and Security Officer he oversees the security controls at the bank's four branches. While some of the assessment is done internally by him, the formal security risk assessment for the bank is performed and documented by an outside information security firm.
"I have a certain amount I do internally -- I have an internal checklist that I use to check all the physical controls to make sure everything is working right down to the basics," Weiskircher says. Examples of some of the things Weiskircher checks for include:
- Ensuring locks and cameras are working;
- Network scans and patch checks;
- Rogue software that employees may have downloaded.
"While they [the outside security firm] don't perform a physical penetration test, every year they do some variation of war dialing and war walking, looking for rogue access points," he says of his third-party risk assessment. "They also do a social engineering test usually two or three weeks after their visit, a phishing email, or something along those lines to see if people bite on it."
Everything in the risk assessment process is documented in a report for Weiskircher when the assessment is completed, no matter how trivial it may seem. "Because if it's not written down, examiners will tell you it didn't happen," he explains.
Performing security risk assessments does benefit the bank's overall security posture, Weiskircher explains, yet wryly notes, "You can put as many controls in place as you want, but if a person really wants to get in, they will find a way to get into your bank."
Example: "We've had two robberies in last five years, and both were completely out of the norm as far as bank robberies go and were totally outlandish." Usually bank robberies are described as a single person walking up to a teller and handing them a note telling them to put money in a bag. "We've never had that 'normal' holdup scenario," he says.
"Last October, a lone man, who purportedly was in debt to a drug dealer and the dealer is threatening his family, robbed our branch in Broadhead, KY." As the scenario played out, the bank robber ran into the branch with a gun, grabbed a teller drawer and "stuck as much money into his pockets and ran out again," Weiskircher says. Police had the suspect in cuffs in less than three hours. "Not only did we have him on tape; other store owners had seen him earlier in the day hanging around the downtown area of Broadhead (pop. 3000). Several of them wrote down his license plate number," Weiskircher chuckles, "I figure he knows now why it's not wise to rob a bank in a small town."
Continuous Presence Needed
Crowe Chizek's Sussman sees institutions that are locked up tight during the day with checks, reception areas and greeters. But after hours, they're more open because the cleaning crew is inside and they'll prop a door open to a secured area to keep from having to open it.
The lesson? Physical, as with logical security, requires constant vigilance. "Every bank and credit union needs to realize their physical security risks," Sussman says, and that is where penetration testing as part of the physical security risk assessment becomes important. For example, when vulnerability can only be instigated at the server level or the console level, that's when penetration tests can uncover weaknesses.
"There was an institution where we performed an assessment and an IT audit," Sussman says. "They were well-protected from remote access of their systems, but when we sent in the penetration testers and they did a little bit of social engineering to get into the building, it was easy to get to the data network room. They got access to the console and the servers, and away they went."
The physical vulnerability that happened at that institution had multiple levels of failure of procedure and physical security, Sussman says - and those are the areas that need to be subject to a risk assessment. "People had to be fooled, the receptionist had to let them in, doors had to be unlocked - so, it's not a bad thing to be paranoid."
See Sidebar: Checklist for Physical Security Risk Assessments