Physical and Cybersecurity Defense: How Hybrid Attacks are Raising the Stakes
Cybersecurity breaches are becoming more commonplace than ever before. With the average breach costing $3.62 million in damage, it’s no wonder that global enterprises are scrambling to secure their networks and prevent attackers from gaining access to their digital assets. Cybersecurity attacks are becoming more sophisticated every day, with attackers able to hack, eavesdrop, spoof, and socially engineer their way into valuable corporate and customer data. While digital hacking incidents are on the rise, many IT professionals have lost focus on the tried-and-true method of attacking physical security. An organization can implement all the IDS, SIEMs, and antivirus they want, but a firewall isn’t going to stop someone from kicking down your door.
In targeted hits, attackers will frequently leverage physical threat vectors in order to bypass digital controls, or even vice-versa. Counting on security professionals to put most (or all) of their eggs into the cyber basket, criminals will often resort to the old-fashioned break-and-enter and then attack the system from inside, completely bypassing border protections on the network. In this report, we’ll examine the impacts of physical security threats and how these risks often go hand-in-hand with cyber attacks.
How Can Physical Attacks Dismantle Cybersecurity and Digital Controls?
Industry leaders have been saying for ages that physical access will trump digital controls every time – or in other words, once an attacker has physical access to your devices, it’s game over. Despite these continuous reminders, physical security is often one of the weakest points in an otherwise robust defense.
Here are some common examples of how physical threat vectors can compromise digital security:
- An infected USB drive is planted in a parking lot, lobby, etc., which an employee picks up and loads onto the network.
- An attacker breaks into a server room and installs rogue devices that capture confidential data.
- The internet drop line is accessible from outside of the building, allowing an attacker to intercept data or cut the line completely.
- An attacker pretends to be an employee and counts on a real employee’s courtesy to hold the door for him as they enter together.
- An inside actor looks over the shoulder of a system engineer as they type administrative credentials into a system.
What are the implications of these attacks? In every case, the attacker has demonstrated that a weakness exists in physical security, whether that weakness manifests as a flaw in controls (locks, card readers, exposure of infrastructure) or in their security training through employee behavior. Armed with this information, the threat actor can replicate the attack over and over, gaining physical access to the building whenever required. What’s worse, multiple attacks can erode employees’ suspicion through recognizing someone they’ve seen before!
The consequences of physical attacks on digital assets are severe. If an attacker gains access to a server room, for example, they can completely override most digital controls that may be in place: they can insert infected media and boot a server into a malicious OS, or plug a traffic monitor into an open firewall port, or even bring down the entire network by looping switch ports together. An inherent flaw in security devices is that they assume someone who can physically access them has the permission to do so, and will usually hand over full access if you’re standing in front of them.
An attacker doesn’t even have to infiltrate a secured server room to cause extensive damage. If they can sneak into the building and access a PC belonging to Human Resources, they will be able to access personnel files and copy employee records containing highly sensitive information. A PC belonging to Accounts Payable can be used to wire money out of the company, or one belonging to a high-ranking executive can be used to access confidential files outlining the company’s business plans. While all of these devices may have extensive digital controls and cybersecurity protection, a weakness in physical security can allow an attacker to bypass them completely.
How Can Cybersecurity Weaknesses Enable Physical Attacks?
In the most devious attacks, cybercriminals will perform reconnaissance and preparatory work on the digital front before moving to close the attack in person. Rather than trying to gain full access to the system, an attacker may only want to open up a few strategic holes to enable a physical assault. While action movies get a lot of things wrong, the trope of a hacker in a van shutting down the network while their buddy breaks into the building is not entirely inaccurate.
The following are examples of how cyber vulnerabilities can weaken a physical defense or have real-world effects:
- Attacker shuts down internet-connected security cameras, allowing a break-in to go undetected, deleting footage, etc.
- The internet-facing keycard access system is compromised, allowing an attacker to grant or remove physical access to the building.
- Network-connected manufacturing systems can be attacked and shut down, causing loss of productivity or a safety incident.
- CPU-intensive malware can be loaded onto a server cluster which spikes power consumption, resulting in overheating, brownouts, or a total loss of power.
- Ransomware on a hospital network can prevent physicians from accessing patient records and providing necessary care.
How can these digital vulnerabilities enable a physical threat? With the end goal of gaining physical access to systems containing confidential data, an attacker can open the door for an in-person engagement by changing or disabling physical controls through a digital vulnerability. The rush to interconnected and cloud-based physical controls has caused organizations to unknowingly expose themselves to additional risk by opening their controls up to network-based attacks.
This type of digital attack is especially dangerous for industrial and manufacturing markets, where network-connected Industrial Control Systems and Programmable Logic Controllers have been in place to govern automated manufacturing for years. While these systems have traditionally been in closed-circuit configurations (or not even on a network at all) the rise of automation and software-defined processes have pushed these systems onto corporate networks – or, in the worst cases, onto the internet completely! When an attacker can gain control of machines weighing thousands of pounds, capable of incredible destruction when used improperly, an organization’s most valuable asset is at stake: human life.
How Can Organizations Plan and Prepare for Multi-Faceted Attacks?
Defending against these sophisticated attacks may seem daunting, but there are several straightforward methods to protect your business. In addition to a robust cybersecurity program, consider adding these approaches to your defense strategy.
When feasible, don’t connect your physical security controls to a network or cloud, and especially not to the public internet. Obviously, this is going to come at a cost of convenience and functionality, which is why this method should be evaluated and vetted with the business prior to execution. If your buildings don’t require a complex network-based access system, then don’t implement one; if your cameras don’t need to be accessible from outside the building, don’t put them on the internet; if only a few people ever need to access the server room, consider locking it with a traditional key or combination-lock pad rather than a badge system that could be compromised.
Implement multi-factor authentication (MFA) wherever it’s reasonable to do so. This includes WiFi connections (or 802.1X for hardwired devices), accessing email from outside the building or on a new device, and logging in to production systems, both on-premise and in the cloud.
Even if an attacker gains physical access to the building and boots up a computer, MFA will prevent them from logging into the system, and in a best-case scenario, will generate an alert that can be forwarded to the security response team.
Create and enforce a policy requiring employees to take their laptops home every night. This strategy will reduce the likelihood of both theft and unauthorized access, as well as minimizing impact in the event of an overnight disaster at the office.
If your business is in manufacturing or industrial markets, heavily scrutinize and evaluate plans to connect equipment to a network prior to execution. Ensure that any business case for doing so will outweigh the considerable risk of putting these systems on a network.
In short, make physical security an important part of your network defense plan. When performing risk assessments and control designs, always factor in a scenario where an attacker has gained physical access to the building and is standing in front of the system or device. How will you compensate for this? While they won’t thwart every conceivable attack, controls such as disabling unused ports, locking servers into racks (and the racks bolted to the floor), MAC address whitelisting, and wireless site surveys don’t require much effort and will go a long way in adding another layer to a defense-in-depth strategy.
How Can Organizations Respond to and Recover from Integrated Attacks?
In the world of security, it can help to take the cynical view and assume that it’s not a matter of if a sophisticated attack will happen, but when. In these cases, despite our best planning and preparation, we have to be ready to respond to an incident and recover from it as effectively as possible while minimizing loss.
Employee training is the first and most important method of recognizing and responding to a physical security incident. Cybercriminals are smart, persuasive, and highly skilled at exploiting human tendencies. Piggybacking is the easiest method to gain access to a building by simply following someone through the door when they badge in, and employees need to be trained not to allow anyone in the door behind them. Employees should also be coached to alert someone when something suspicious has happened, such as accidentally clicking a link in a fraudulent email, or someone calling on the phone and asking for their password. Set up a central hotline and email address to report all security incidents, and post it around the building to raise awareness. Routinely test retention of this training by running exercises and simulations to mimic real events.
If you don’t already have one, create a Security Operations Center at the heart of your incident response program. It’s best to have this be a dedicated team separate from your Help Desk so that agents have the proper freedom and ability to respond to incidents as they happen. This team should be responsible for monitoring and responding to intrusions and security incidents. (Note: Monitoring security cameras is not the duty of the SOC, but rather your security guards.) Write up playbooks for how agents should respond to various threat scenarios, with the first step of any response being to contain the threat and minimize impact. This can be done by taking an infected PC off the network, rerouting network traffic away from a compromised device, or in extreme cases, evacuating the building when human safety is at risk.
Business Continuity and Disaster Recovery are two vital concepts to have in play well before an incident happens. While a comprehensive discussion of BC/DR is outside the scope of this post, there are key points that should be implemented in any defense program:
- Have redundant networking systems (including separate internet connections from different ISPs) that can be brought online quickly in the event of a network outage.
- Design data retention and backup system that can restore copies of critical data in the event of loss or corruption. Test this system regularly to ensure it works before you actually need it.
- Write contingency plans with processes for employees to continue working in the event of a security breach.
- If budget allows and there is a business case for it, consider renting a “hot” or “warm” off-site facility that can act as a temporary base of operations while you recover the primary building.
The Increasing Prevalence of Physical Threats in a Digital World
Why should a security professional focus on the physical side when today’s threats are coming through a network port instead of the front door? It is true that a significant number of cyber breaches are done entirely online without an attacker setting foot in the office, but it’s also true that some sophisticated attackers will set the laptop aside in favor of a crowbar.
SANS Institute states that in recent years, approximately 74,000 employees, contractors, and suppliers were impacted by a data breach due to stolen company laptops with sensitive information on them – and in each case, the value of the physical asset was not the only loss, but rather the data, which is usually not encrypted. Theft isn’t going away any time soon, and with today’s workforce becoming increasingly mobile, the number of easily stolen devices will only continue to rise.
In a report by Ponemon Institute released only weeks ago, 42% of security professionals state that they are concerned about their organization’s inability to secure physical spaces containing critical data. Savvy security managers realize that physical controls are just as important as digital, but with talks of ransomware and online attacks dominating the news, administrators can encounter difficulty when getting management’s buy-in to invest in physical security controls and processes. Convinced by pushy vendors that a new SIEM or IDS is the best solution, leadership teams can fail to see that while their network may be rock solid, there’s little in place to keep an attacker from walking through the door and bypassing all of it.
In 2017, the total number of data breaches in the United States reached a new record high of 1,579 incidents spanning 171 million records collectively, according to the Identity Theft Resource Center. This number represents an increase in the occurrence of 44.7% compared to 2016. Not all of these breaches utilized a physical attack vector, but a significant number did, and as the number of breaches climbs ever higher, so too do the number of attacks that leverage a physical vulnerability to execute the crime.
Physical weaknesses will always exist. Smart cybercriminals will see organizations rushing to secure their digital fronts while forgetting about the flaws in their doors, windows, cameras, and security guards.
Today’s cyber thieves are using every possible strategy to steal more data and wreak more destruction than ever before. Organizations will do well to remember their real-world security in addition to their efforts on the digital front. With physical access being the trump card that beats every network control, security administrators need to look beyond their routers, firewalls, and server farms to see the doors, fences, lights, and key systems that are often ignored and exploited.
If your organization has suffered data breaches and only thrown more software, VLANs, and firewall rules at the problem, you’re doing a disservice to your employees and customers. It’s time to bring out the risk assessment committee and take a fresh look at your buildings, warehouses, and data centers to see where criminals can get in the door and access-controlled areas. Only after you’ve properly assessed both your physical and digital security can you confidently assure your customers that you remain committed to the protection of their information.
Egan, G. (2018). Scary Data Breach Statistics of 2017. [online] Wombatsecurity.com. Available at: https://www.wombatsecurity.com/blog/scary-data-breach-statistics-of-2017 [Accessed 6 Mar. 2018].
Hutter, D. (2018). Physical Security and Why It Is Important. [online] Sans.org. Available at: https://www.sans.org/reading-room/whitepapers/physical/physical-security-important-37120 [Accessed 6 Mar. 2018].
Raytheon.com. (2018). 2018 Study on Global Megatrends in Cybersecurity. [online] Available at: https://www.raytheon.com/sites/default/files/2018-02/2018_Global_Cyber_Megatrends.pdf [Accessed 6 Mar. 2018].
Sfax. (2018). The average cost of a Data Breach in 2017 is $3.62 million | Sfax. [online] Available at: https://www.scrypt.com/blog/average-cost-data-breach-2017-3-62-million [Accessed 6 Mar. 2018].