Preventions
- Home
- - Preventions
- -PV011
- ID: PV011
- Created: 31st May 2024
- Updated: 31st May 2024
- Contributor: The ITM Team
Physical Access Controls
Access to specific areas of a site should be restricted to only authorized personnel, through the use of controls such as locked doors, mantraps, and gates requiring an ID badge.
Sections
ID | Name | Description |
---|---|---|
PR009 | Physical Exploration | A subject attempts to defeat physical security controls to gain access to a secured area to conduct an infringement. |
PR007 | CCTV Enumeration | A subject observes and/or records the locations of CCTV cameras in a target area. |
ME013 | Media Capture | A subject can capture photos, videos and/or audio with an external device, such as taking photos of a screen, documents, or their surroundings. |
PR011 | Boot Order Manipulation | A subject accesses BIOS or UEFI to manipulate the boot order of a target computer to boot from an external device in order to access the target computer's file system without needing to interact or authenticate with the Operating System of the target computer. |
ME024 | Access | A subject holds access to both physical and digital assets that can enable insider activity. This includes systems such as databases, cloud platforms, and internal applications, as well as physical environments like secure office spaces, data centers, or research facilities. When a subject has access to sensitive data or systems—especially with broad or elevated privileges—they present an increased risk of unauthorized activity.
Subjects in roles with administrative rights, technical responsibilities, or senior authority often have the ability to bypass controls, retrieve restricted information, or operate in areas with limited oversight. Even standard user access, if misused, can facilitate data exfiltration, manipulation, or operational disruption. Weak access controls—such as excessive permissions, lack of segmentation, shared credentials, or infrequent reviews—further compound this risk by enabling subjects to exploit access paths that should otherwise be limited or monitored.
Furthermore, subjects with privileged or strategic access may be more likely to be targeted for recruitment by external parties to exploit their position. This can include coercion, bribery, or social engineering designed to turn a trusted insider into an active participant in malicious activities. |
ME025 | Placement | A subject’s placement within an organization shapes their potential to conduct insider activity. Placement refers to the subject’s formal role, business function, or proximity to sensitive operations, intellectual property, or critical decision-making processes. Subjects embedded in trusted positions—such as those in legal, finance, HR, R&D, or IT—often possess inherent insight into internal workflows, organizational vulnerabilities, or confidential information.
Strategic placement can grant the subject routine access to privileged systems, classified data, or internal controls that, if exploited, may go undetected for extended periods. Roles that involve oversight responsibilities or authority over process approvals can also allow for policy manipulation, the suppression of alerts, or the facilitation of fraudulent actions.
Subjects in these positions may not only have a higher capacity to carry out insider actions but may also be more appealing targets for adversarial recruitment or collusion, given their potential to access and influence high-value organizational assets. The combination of trust, authority, and access tied to their placement makes them uniquely positioned to execute or support malicious activity. |
IF011.002 | Intentionally Weakening Physical Security Controls For a Third Party | The subject intentionally weakens or bypasses physical security controls for a third party, such as allowing them to piggyback into a secure area, leaving a door unlocked for them, or providing them with a security pass. |
IF002.005 | Exfiltration via Physical Documents | A subject tansports physical documents outside of the control of the organization. |
ME021.003 | Physical Access Credentials | Physical security credentials, such as an ID card or physical keys, that were available to the subject during employment are not revoked and can still be used. |
ME024.004 | Access to Physical Hardware | Subjects with physical access to critical hardware—such as data center infrastructure, on-premises servers, network appliances, storage arrays, or specialized equipment like CCTV and alarm systems—represent a significant insider threat due to their ability to bypass logical controls and interact directly with systems. This level of access can facilitate a wide range of security compromises, many of which are difficult to detect through conventional digital monitoring.
Physical access may also include proximity to sensitive areas such as network closets, on-premises server racks, backup repositories, or control systems in operational technology (OT) environments. In high-security settings, even brief unsupervised access can be exploited to compromise system integrity or enable ongoing unauthorized access.
With this type of access, a subject can:
In operational environments, subjects with access to physical control systems (e.g., ICS/SCADA components, industrial HMIs, or IoT gateways) may alter processes, cause service disruptions, or create safety hazards. Similarly, access to CCTV or badge systems may allow them to erase footage, monitor employee movements, or manipulate access control logs.
Subjects with this form of access represent an elevated risk, especially when combined with technical knowledge or administrative privileges. The risk is compounded in environments with limited physical security controls, inadequate logging of physical entry, or weak segmentation between physical and digital assets. |
ME024.005 | Access to Physical Spaces | Subjects with authorized access to sensitive physical spaces—such as secure offices, executive areas, data centers, SCIFs (Sensitive Compartmented Information Facilities), R&D labs, or restricted zones in critical infrastructure—pose an increased insider threat due to their physical proximity to sensitive assets, systems, and information.
Such spaces often contain high-value materials or information, including printed sensitive documents, whiteboard plans, authentication devices (e.g., smartcards or tokens), and unattended workstations. A subject with physical presence in these locations may observe confidential conversations, access sensitive output, or physically interact with devices outside of typical security monitoring.
This type of access can be leveraged to:
Subjects in roles that involve frequent presence in sensitive locations—such as cleaning staff, security personnel, on-site engineers, or facility contractors—may operate outside the scope of standard digital access control and may not be fully visible to security teams focused on network activity.
Importantly, individuals with this kind of access are also potential targets for recruitment or coercion by external threat actors seeking insider assistance. The ability to physically access secure environments and passively gather high-value information makes them attractive assets in coordinated attempts to obtain or compromise protected information.
The risk is magnified in organizations lacking comprehensive physical access policies, surveillance, or cross-referencing of physical and digital access activity. When unmonitored, physical access can provide a silent pathway to support insider operations without leaving traditional digital footprints. |