Preventions
- Home
- - Preventions
- -PV009
- ID: PV009
- Created: 31st May 2024
- Updated: 31st May 2024
- Contributor: The ITM Team
Prohibition of Devices On-site
Certain infringements can be prevented by prohibiting certain devices from being brought on-site.
Sections
ID | Name | Description |
---|---|---|
PR008 | Physical Item Smuggling | A subject attempts to defeat physical security controls by smuggling an item (potentially an innocent item at first) into a controlled area to facilitate an infringement (such as a smart phone with a camera). |
ME013 | Media Capture | A subject can capture photos, videos and/or audio with an external device, such as taking photos of a screen, documents, or their surroundings. |
IF003 | Exfiltration via Media Capture | A subject uses an external device, such as a mobile phone or camera, to record audio, photos, or video to capture media. |
ME005 | Removable Media | A subject can mount and write to removable media. |
PR007 | CCTV Enumeration | A subject observes and/or records the locations of CCTV cameras in a target area. |
IF019 | Non-Corporate Device | The subject performs work-related tasks on an unauthorized, non-organization-owned device, likely violating organizational policy. Without the organization’s security controls in place, this device could be used to bypass established safeguards. Moreover, using a personal device increases the risk of sensitive data being retained or exposed, particularly after the subject is offboarded, as the organization has no visibility or control over information stored outside its managed systems. |
ME022 | Bring Your Own Device (BYOD) | An organization has a Bring Your Own Device (BYOD) policy, where a subject is authorized to connect personally owned devices—such as smartphones, tablets, or laptops—to organizational resources. These resources include corporate networks, cloud applications, and on-premises systems that may handle confidential and/or sensitive information.
The use of personal devices in a corporate environment introduces several risks, as these devices may lack the same level of security controls and monitoring as organization-owned equipment. |
IF004.002 | Exfiltration via AirDrop | A subject exfiltrates files using AirDrop as the transportation medium. |
IF004.001 | Exfiltration via Bluetooth | A subject exfiltrates files using BlueTooth as the transportation medium. |
IF003.001 | Exfiltration via Photography | A subject uses a device, such as a mobile phone or camera, to take photos containing sensitive information. |
IF003.002 | Exfiltration via Video Capture | A subject uses an external device, such as a mobile phone or camera, to take video recordings containing sensitive information. |
IF003.003 | Exfiltration via Audio Capture | A subject uses an external device, such as a mobile phone or camera, to take record audio containing sensitive information, such as conversations. |
ME005.001 | USB Mass Storage | A subject can mount and write to a USB mass storage device. |
ME005.002 | SD Cards | A subject can mount and write to an SD card, either directly from the system, or through a USB connector. |
IF002.008 | Exfiltration via USB to Mobile Device | The subject uses a USB cable, and any relevant software if required, to transfer files or data from one system to a mobile device. This device is then taken outside of the organization's control, where the subject can later access the contents. |
ME024.004 | Access to Physical Hardware | Subjects with physical access to critical hardware—such as data center infrastructure, on-premises servers, network appliances, storage arrays, or specialized equipment like CCTV and alarm systems—represent a significant insider threat due to their ability to bypass logical controls and interact directly with systems. This level of access can facilitate a wide range of security compromises, many of which are difficult to detect through conventional digital monitoring.
Physical access may also include proximity to sensitive areas such as network closets, on-premises server racks, backup repositories, or control systems in operational technology (OT) environments. In high-security settings, even brief unsupervised access can be exploited to compromise system integrity or enable ongoing unauthorized access.
With this type of access, a subject can:
In operational environments, subjects with access to physical control systems (e.g., ICS/SCADA components, industrial HMIs, or IoT gateways) may alter processes, cause service disruptions, or create safety hazards. Similarly, access to CCTV or badge systems may allow them to erase footage, monitor employee movements, or manipulate access control logs.
Subjects with this form of access represent an elevated risk, especially when combined with technical knowledge or administrative privileges. The risk is compounded in environments with limited physical security controls, inadequate logging of physical entry, or weak segmentation between physical and digital assets. |
ME024.005 | Access to Physical Spaces | Subjects with authorized access to sensitive physical spaces—such as secure offices, executive areas, data centers, SCIFs (Sensitive Compartmented Information Facilities), R&D labs, or restricted zones in critical infrastructure—pose an increased insider threat due to their physical proximity to sensitive assets, systems, and information.
Such spaces often contain high-value materials or information, including printed sensitive documents, whiteboard plans, authentication devices (e.g., smartcards or tokens), and unattended workstations. A subject with physical presence in these locations may observe confidential conversations, access sensitive output, or physically interact with devices outside of typical security monitoring.
This type of access can be leveraged to:
Subjects in roles that involve frequent presence in sensitive locations—such as cleaning staff, security personnel, on-site engineers, or facility contractors—may operate outside the scope of standard digital access control and may not be fully visible to security teams focused on network activity.
Importantly, individuals with this kind of access are also potential targets for recruitment or coercion by external threat actors seeking insider assistance. The ability to physically access secure environments and passively gather high-value information makes them attractive assets in coordinated attempts to obtain or compromise protected information.
The risk is magnified in organizations lacking comprehensive physical access policies, surveillance, or cross-referencing of physical and digital access activity. When unmonitored, physical access can provide a silent pathway to support insider operations without leaving traditional digital footprints. |