Means
Access
Aiding and Abetting
Asset Control
Bluetooth
Bring Your Own Device (BYOD)
Clipboard
FTP Servers
Installed Software
Media Capture
Network Attached Storage
Physical Disk Access
Placement
Printing
Privileged Access
Removable Media
Screenshots
Sensitivity Label Leakage
SMB File Sharing
SSH Servers
System Startup Firmware Access
Unrestricted Software Installation
Unrevoked Access
Web Access
- ID: ME024.004
- Created: 23rd April 2025
- Updated: 23rd April 2025
- Contributor: Rob Snyder
Access to Physical Hardware
Subjects with physical access to critical hardware—such as data center infrastructure, on-premises servers, network appliances, storage arrays, or specialized equipment like CCTV and alarm systems—represent a significant insider threat due to their ability to bypass logical controls and interact directly with systems. This level of access can facilitate a wide range of security compromises, many of which are difficult to detect through conventional digital monitoring.
Physical access may also include proximity to sensitive areas such as network closets, on-premises server racks, backup repositories, or control systems in operational technology (OT) environments. In high-security settings, even brief unsupervised access can be exploited to compromise system integrity or enable ongoing unauthorized access.
With this type of access, a subject can:
- Extract or clone drives and media for offline analysis or exfiltration of sensitive data, including proprietary documents, logs, authentication secrets, and configuration files.
- Introduce malicious hardware or firmware, such as USB-based keyloggers, hardware implants, or modified components that persist beyond reboots and may evade traditional endpoint protections.
- Bypass access controls by booting from external media, altering BIOS or UEFI settings, or resetting system passwords using direct hardware manipulation.
- Install or modify software directly on the system, enabling surveillance tools, remote access backdoors, or malicious code that blends in with legitimate system processes.
- Capture network traffic by tapping physical interfaces or inserting intermediary devices such as portable switches, protocol analyzers, or rogue wireless access points.
- Disable security mechanisms, such as disconnecting monitoring systems, tampering with surveillance equipment, or disabling redundant power and failover systems to induce outages.
In operational environments, subjects with access to physical control systems (e.g., ICS/SCADA components, industrial HMIs, or IoT gateways) may alter processes, cause service disruptions, or create safety hazards. Similarly, access to CCTV or badge systems may allow them to erase footage, monitor employee movements, or manipulate access control logs.
Subjects with this form of access represent an elevated risk, especially when combined with technical knowledge or administrative privileges. The risk is compounded in environments with limited physical security controls, inadequate logging of physical entry, or weak segmentation between physical and digital assets.
Prevention
| ID | Name | Description |
|---|---|---|
| PV023 | Access Reviews | Routine reviews of user accounts and their associated privileges and permissions should be conducted to identify overly-permissive accounts, or accounts that are no longer required to be active. |
| PV039 | Employee Mental Health & Support Program | Offering mental health support and conflict resolution programs to |
| PV042 | Employee Vulnerability Support Program | A structured program, including a helpline or other reporting mechanism, designed to assist employees who feel vulnerable, whether due to personal issues, coercion, or extortion. This process allows employees to confidentially raise concerns with trusted teams, such as Human Resources or other qualified professionals. In some cases, it may be appropriate to discreetly share this information with trusted individuals within the Insider Risk Management Program to help prevent and detect insider threats while also providing necessary support to the employee. |
| PV003 | Enforce an Acceptable Use Policy | An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks. |
| PV025 | Full Disk Encryption | Full Disk Encryption (FDE) involves encrypting all data on a device's hard disk or solid-state drive (SSD), including the Operating System (OS), third party applications and user data. This helps to ensure that data on the disk remains inaccessible if the laptop is lost or stolen, as the data cannot be accessed without the correct decryption key.
Typically a user decrypts a FDE disk during the boot process. The user is prompted to enter a password or provide a hardware token to unlock the encryption key. Only after successful authentication can the disk be decrypted and subsequently the Operating System loaded and the data accessed. |
| PV038 | Insider Threat Awareness Training | Training should equip employees to recognize manipulation tactics, such as social engineering and extortion, that are used to coerce actions and behaviors harmful to the individual and/or the organization. The training should also encourage and guide participants on how to safely report any instances of coercion. |
| PV033 | Native Anti-Tampering Protections | Commercial security software may include native anti-tampering protections that prevent attempts to interfere with its operations, such as deleting or renaming required files. |
| PV011 | Physical Access Controls | Access to specific areas of a site should be restricted to only authorized personnel, through the use of controls such as locked doors, mantraps, and gates requiring an ID badge. |
| PV009 | Prohibition of Devices On-site | Certain infringements can be prevented by prohibiting certain devices from being brought on-site. |
Detection
| ID | Name | Description |
|---|---|---|
| DT033 | Closed-Circuit Television | CCTV can be used to observe activity within or around a site. This control can help to detect preparation or infringement activities and record it to a video file. |
| DT081 | Security Software Anti-Tampering Alerts | Commercial security software may have the ability to generate alerts when suspected tampering is detected, such as interacting with the process in memory, or attempting to access files related to its operation. |
| DT008 | Tamper Seal | A tamper seal can be used to protect against tampering or unauthorized access of an object. Tamper seals can provide visual evidence if an object has been opened or attempted to be opened. |