Keep Those Hackers Out of Your Fish Tank
We know it. Our customers know it, and now the industry knows it too. The need to integrate cyber and physical security is increasing.
We’re living in a time where even traditional security is software-driven. Many of the physical security devices used every day are connected to the internet: cameras, communications equipment, access control, fire systems, intrusion solutions, heating, air and ventilation systems, TV’s and more. Even if it is a physical entity that can be controlled when it’s offline, while the device is online, it can be targeted by hackers. A perfect example of this was the 2013 Target data breach that was executed when hackers exploited an air-conditioning system through the laptop of a third-party HVAC vendor.
This wasn’t a unique case. A recent story about an unnamed American casino that was breached through the thermostat in a lobby aquarium only reiterated that point. Cybercriminals exploited a vulnerability in the aquarium’s thermostat to gain access to the casino’s network. Once they were in, they were able to access the high-roller database of gamblers – pulling it back across the network, out of the thermostat and up to the cloud. The hackers, who were based in Finland, transferred roughly 10 GB of data to their overseas network.
We see organizations adding more budget to the software that will protect their networks, but what about protecting against the attackers that leverage physical threat vectors to bypass digital controls?
Criminals will often resort to the old-fashioned break-and-enter and then attack the system from the inside, completely bypassing protections on the network. Remember the teenager that trespassed into the train depot to gather information so that he could build a remote transmitter that would later derail four trains? This incident was an eye-opener and exploited vulnerabilities in the train station’s security by exposing the ease of trespassing, taking over and interfering with signals.
Due to the increasing number of hand-in-hand physical and cyberattacks, companies are breaking down the traditional silos that kept physical and cyber functions separate. Combining the two is necessary as so many threats combine both elements.
The education sector is definitely moving in this direction. We’ve seen many headlines about schools being targeted in physical attacks, but they are also increasingly becoming a target for cyberattacks. Schools and universities house personal records, intellectual property and research data. This critical information is invaluable and subjects them to higher risk.
In 2017, the education sector alone in the U.S. accounted for 13 percent of data breaches, which resulted in the compromise of nearly 32 million records. The double-edged sword is that institutions are moving more towards digital to help students and faculty succeed in today’s world, but in doing so are opening themselves up to the potential threat. Finding the delicate balance between secure facilities and a constructive atmosphere can be challenging. It often leads to forcing security personnel to make tough decisions on where to prioritize resources when facing a variety of threats.
A hybrid attack is not unlikely in a busy college or university campus. Think of the thousands of students, faculty members, administrative staff, facilities staff and visitors that are walking around at all times. With so many people moving in all directions throughout the campus, it is extremely easy to lose track of who is and who isn’t supposed to be there. If someone was looking to access data, it wouldn’t be all that difficult to pose as an insider to access restricted areas. What are the implications of these attacks? In every case, the attacker has demonstrated that a weakness exists.
A recent Ponemon Institute report stated that 42% of security professionals are concerned about their organization’s ability to secure physical spaces containing critical data. In 2017, the total number of data breaches in the U.S. reached 1,579 incidents spanning 171 million records, according to the Identity Theft Resource Center. That is an increase of 44.7% in comparison to 2016. Though not all of the breaches utilized a physical threat vector, a significant number of them did.
Want to learn more about hybrid attacks? Read our latest guide, “Physical and Cybersecurity Defense: How hybrid attacks are raising the stakes.”
Data is becoming one of the most valuable resources in the world. That’s why the combination of physical and cyber threats can leave an organization especially vulnerable. It is common for a cyberattack to start from something as simple as an unauthorized person entering a server room and installing rogue devices. Once the devices have been planted, the hacker has the ability to access the network and capture confidential information. The consequences of physical attacks on digital assets can be severe. By gaining access to confidential data, employee files or even financial accounts, the attacker has weakened the organization and left them with a big mess to clean up.
There is a growing trend for organizations to prepare for multi-faceted attacks. Things like multi-factor authentication, employee hardware policies and regular equipment scans can help to ensure that physical devices are secure.
But, despite our best efforts, planning and preparation don’t leave us completely secure from threats. Here are a few ways that your organization can be ready to respond to an incident:
- Ensure that employees are trained to respond to and report all security incidents.
- Coach employees to alert someone when something suspicious has happened – either physical or cyber-related.
- Setting up a central email or hotline where employees can report all incidents helps raise awareness and keeps security top of mind.
- Test training retention by running simulation events.
Only after you’ve properly assessed both your physical and digital security can you confidently assure employees and customers that you remain committed to the protection of their information.
In today’s ever-changing world, the best defense is awareness. Keep your eyes and ears open and make sure your team knows who to contact if they have any suspicions.