We often bang on about cyber security and its importance (rightly so!), but we should not overlook the importance of physical security. Would-be attackers will always look for weaknesses in the company or the supply chain, and that may/will include weaknesses in building security. This month I learnt this first-hand while teaching a large group of under 18s. Story below…
One of the exercises was ProRat. It is not brown or black as you may imagine – it is a Windows remote access trojan. The delegates install it and they can remotely control another Windows 10 PC. It has tonnes of functions which work assuming anti-malware is off and the TCP port is open. You simply download and run it, and the ‘attacker’ enters the local IP of the ‘defender’ and you hit connect.
A delegate’s laptop was under the control of another and the ‘defender’ asked me how do you stop it? I said press control-alt-delete and terminate the process. Still after terminating the process the ‘defender’s’ mouse was still moving. I said turn on Windows Defender and do an update of signatures – still the mouse is moving. Now for the ‘big guns’, put in a Windows firewall rule to outright block the TCP port (5110) on the laptop. No luck.
This is getting embarrassing now for me – 100% what I advised should have worked. Come on, how can someone vastly younger than me defeat someone with 14.5 years of strong defensive skills? A mouse! Me and the ‘defender’ were trying to stop the ‘attacker’ using the trackpad, yet the ‘attacker’ had a mouse plugged in and was to the right of us. No anti-malware or firewalling would stop the mouse which was plugged in the USB port!
Poor physical security often leads to easier hostile reconnaissance or social engineering, or for its more fashionable term, ‘red teaming’. Three examples below:
One - USB and CD/DVD security
This area does cross physical and logic security but, whatever the definition, it is a favourite trick of ‘red teamers’. Pen testers will rock up to a reception with a sweat and say “I have a job interview in 15mins and my CV has coffee on it.” They present a USB with a ‘PDF’ on which prints and in the background a RAT is installed.
Fix?
- Go old school and use PS/2 for keyboards and mice if new motherboards even have them! Then hardware block USBs in the BIOS and slice internal cables & put glue in the USB ports. A bit paranoid and reduced usability maybe.
- Use Microsoft Group Policy and some other software control to block them, and perhaps only allow known hardware encrypted ones. A Rubber Ducky may still work though.
- Put the desktop (laptops?) in a cage so ports are not accessible.
- My least favourite – tell users not to use USBs in any case. What could go wrong?
Two – Externally-facing windows
On countless occasions I have spotted examples like the two below in Whitehall or in The Square Mile. These are not SMEs but companies with tens of thousands of staff or large well-known government departments.
Fix?
- Don’t put open plan offices on the ground floor with clear windows.
- If the above does not work put frosted glass or a plastic film to above head height.
Three - Access control
Over the last 14+ years I have been inside various FTSE 100 firms and central government departments, and rarely do I see good access control. Problems include: no turnstiles or mantraps, no two-factor authentication, and obvious branded ID cards.
Fix?
- Keep your ID card unique but generic (i.e. don’t put a company logo on and don’t put on a real return address). Have the return address be a general PO BOX and insert a hard-to-copy inbuilt hologram.
- Use two-factor authentication. At minimum, a PIN along with the ID card.
- Don’t use gates that allow tailgating. Use a man trap and/or employ a guard to watch users swipe in.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

Graeme Batsman
Graeme joined QA in 2017 and has worked in security on and off for 15 years. His last role was as a Senior Technical Security consultant at Capgemini covering the public and private sector.
From the age of 17, he was running investigations into online scams and phishing. Today he teaches and/or has written: CEH, OSINT, CTF (conventional or OSINT), CyberFirst, practical encryption and Security+. Graeme is an avid writer with 130+ articles to his name and a chapter in a published book.
He loves thinking like a hacker to review and tweak settings with a fine-tooth comb.
More articles by Graeme
Shadow IT during Covid-19: Do not let your employees decide which apps and tools to use
If you don't take control, your remote-working teams may be putting your IT infrastructure at risk of hacking or loss of data…
29 May 202011 cybersecurity tips for more secure home-working during the Covid-19 outbreak
Keep your company and personal details safe while working from home. QA Cyber Security Technical Consultant Graeme Batsman of…
23 March 2020Hostile reconnaissance: What is it and how do we stay safe?
Shhh! Cyber attackers often use hostile reconnaissance in the physical world to find a way into an organisation. So what is h…
29 January 2020My partner is a landscape gardener – who would want to hack me?
You may think your small business would not be interesting to global cyber crooks. But you may have a client or supplier who…
29 January 20207 cybersecurity tips for wedding photographers – or anyone, really
QA Cyber Security Technical Consultant Graeme Batsman looks at why cybersecurity is important for photographers, especially t…
29 January 2020Cyber Security for everyone - what we all should know
In May the security of the official Sussex’s wedding photographers was breached, and private photos were released. This highl…
05 September 2019Cyber Attacks - Most of them are not as high-tech as you'd think
Hackers have a reputation for using complex technical means to gain unauthorised access to digital systems. However, low-tech…
05 September 2019Cyber risks are too often ignored by management
Project Managers and top management need a better security understanding to allocate resources and to sign off technical risk…
14 November 2017Rise and Fall of Bitcoin
With the popularity and value of crypto currencies growing, so do the security and anonymity concerns.
01 February 2018Endpoint and network firewalling needs to change
QA Cyber Security Trainer, Graeme Batsman, discusses how you need to focus on outbound as much as (or more than) inbound rule…
03 April 2018