- Corporate Security
- Governance, Risk & Compliance
- Information Security
Cybersecurity breaches are becoming more commonplace than ever before. With the average breach costing $3.62 million in damage, it’s no wonder that global enterprises are scrambling to secure their networks and prevent attackers from gaining access to their digital assets. Cybersecurity attacks are becoming more sophisticated every day, with attackers able to hack, eavesdrop, spoof, and socially engineer their way into valuable corporate and customer data. While digital hacking incidents are on the rise, many IT professionals have lost focus on the tried-and-true method of attacking physical security. An organization can implement all the IDS, SIEMs, and antivirus they want, but a firewall isn’t going to stop someone from kicking down your door.
In targeted hits, attackers will frequently leverage physical threat vectors in order to bypass digital controls, or even vice-versa. Counting on security professionals to put most (or all) of their eggs into the cyber basket, criminals will often resort to the old-fashioned break-and-enter and then attack the system from inside, completely bypassing border protections on the network. In this report we’ll examine the impacts of physical security threats and how these risks often go hand-in-hand with cyber attacks.
The average damage caused by a cybersecurity breach is $3.62 million.
Industry leaders have been saying for ages that physical access will trump digital controls every time – or in other words, once an attacker has physical access to your devices, it’s game over. Despite these continuous reminders, physical security is often one of the weakest points in an otherwise robust defense.
Here are some common examples of how physical threat vectors can compromise digital security:
What are the implications of these attacks? In every case, the attacker has demonstrated that a weakness exists in physical security, whether that weakness manifests as a flaw in controls (locks, card readers, exposure of infrastructure) or in their security training through employee behavior. Armed with this information, the threat actor can replicate the attack over and over, gaining physical access to the building whenever required. What’s worse, multiple attacks can erode employees’ suspicion through recognizing someone they’ve seen before!
The consequences of physical attacks on digital assets are severe. If an attacker gains access to a server room, for example, they can completely override most digital controls that may be in place: they can insert infected media and boot a server into a malicious OS, or plug a traffic monitor into an open firewall port, or even bring down the entire network by looping switch ports together. An inherent flaw in security devices is that they assume someone who can physically access them has the permission to do so, and will usually hand over full access if you’re standing in front of them.
An attacker doesn’t even have to infiltrate a secured server room to cause extensive damage. If they can sneak into the building and access a PC belonging to Human Resources, they will be able to access personnel files and copy employee records containing highly sensitive information. A PC belonging to Accounts Payable can be used to wire money out of the company, or one belonging to a high-ranking executive can be used to access confidential files outlining the company’s business plans. While all of these devices may have extensive digital controls and cybersecurity protection, a weakness in physical security can allow an attacker to bypass them completely.
In the most devious attacks, cyber criminals will perform reconnaissance and preparatory work on the digital front before moving to close the attack in-person. Rather than trying to gain full access into the system, an attacker may only want to open up a few strategic holes to enable a physical assault. While action movies get a lot of things wrong, the trope of a hacker in a van shutting down the network while their buddy breaks into the building is not entirely inaccurate.
The following are examples of how cyber vulnerabilities can weaken a physical defense or have real-world effects:
How can these digital vulnerabilities enable a physical threat? With the end goal of gaining physical access to systems containing confidential data, an attacker can open the door for an in-person engagement by changing or disabling physical controls through a digital vulnerability. The rush to interconnected and cloud-based physical controls has caused organizations to unknowingly expose themselves to additional risk by opening their controls up to network-based attacks.
This type of digital attack is especially dangerous for industrial and manufacturing markets, where network- connected Industrial Control Systems and Programmable Logic Controllers have been in place to govern automated manufacturing for years. While these systems have traditionally been in closed-circuit configurations (or not even on a network at all) the rise of automation and software-defined processes has pushed these systems onto corporate networks – or, in the worst cases, onto the internet completely! When an attacker can gain control of machines weighing thousands of pounds, capable of incredible destruction when used improperly, an organization’s most valuable asset is at stake: human life.
A virtual attack can open the door for an in-person engagement by changing or disabling physical controls through a digital vulnerability.
Defending against these sophisticated attacks may seem daunting, but there are several straightforward methods to protect your business. In addition to a robust cybersecurity program, consider adding these approaches to your defense strategy.
When feasible, don’t connect your physical security controls to a network or cloud, and especially not to the public internet. Obviously this is going to come at a cost of convenience and functionality, which is why this method should be evaluated and vetted with the business prior to execution. If your buildings don’t require a complex network-based access system, then don’t implement one; if your cameras don’t need to be accessible from outside the building, don’t put them on the internet; if only a few people ever need to access the server room, consider locking it with a traditional key or combination-lock pad rather than a badge system that could be compromised.
Implement multi-factor authentication (MFA) wherever it’s reasonable to do so. This includes WiFi connections (or 802.1X for hardwired devices), accessing email from outside the building or on a new device, and logging in to production systems, both on-premise and in the cloud.
Even if an attacker gains physical access to the building and boots up a computer, MFA will prevent them from logging into the system, and in a best-case scenario, will generate an alert that can be forwarded to the security response team.
Create and enforce a policy requiring employees to take their laptops home every night. This strategy will reduce the likelihood of both theft and unauthorized access, as well as minimizing impact in the event of an overnight disaster at the office.
If your business is in manufacturing or industrial markets, heavily scrutinize and evaluate plans to connect equipment to a network prior to execution. Ensure that any business case for doing so will outweigh the considerable risk of putting these systems on a network.
In short, make physical security an important part of your network defense plan. When performing risk assessments and control designs, always factor in a scenario where an attacker has gained physical access to the building and is standing in front of the system or device. How will you compensate for this? While they won’t thwart every conceivable attack, controls such as disabling unused ports, locking servers into racks (and the racks bolted to the floor), MAC address whitelisting, and wireless site surveys don’t require much effort and will go a long way in adding another layer to a defense-in-depth strategy.
In the world of security, it can help to take the cynical view and assume that it’s not a matter of if a sophisticated attack will happen, but when. In these cases, despite our best planning and preparation, we have to be ready to respond to an incident and recover from it as effectively as possible while minimizing loss.
Employee training is the first and most important method of recognizing and responding to a physical security incident. Cyber criminals are smart, persuasive, and highly skilled at exploiting human tendencies. Piggybacking is the easiest method to gain access to a building by simply following someone through the door when they badge in, and employees need to be trained not to allow anyone in the door behind them. Employees should also be coached to alert someone when something suspicious has happened, such as accidentally clicking a link in a fraudulent email, or someone calling on the phone and asking for their password. Set up a central hotline and email address to report all security incidents, and post it around the building to raise awareness. Routinely test retention of this training by running exercises and simulations to mimic real events.
If you don’t already have one, create a Security Operations Center at the heart of your incident response program. It’s best to have this be a dedicated team separate from your Help Desk so that agents have the proper freedom and ability to respond to incidents as they happen. This team should be responsible for monitoring and responding to intrusions and security incidents. (Note: Monitoring security cameras is not the duty of the SOC, but rather your security guards.) Write up playbooks for how agents should respond to various threat scenarios, with the first step of any response being to contain the threat and minimize impact. This can be done by taking an infected PC off the network, rerouting network traffic away from a compromised device, or in extreme cases, evacuating the building when human safety is at risk.
Business Continuity and Disaster Recovery are two vital concepts to have in play well before an incident happens. While a comprehensive discussion of BC/DR is outside the scope of this post, there are key points that should be implemented in any defense program:
Have a Security Operations Center be a dedicated and independent team so they have the proper freedom and ability to respond to incidents as they happen.
Why should a security professional focus on the physical side when today’s threats are coming through a network port instead of the front door? It is true that a significant number of cyber breaches are done entirely online without an attacker setting foot in the office, but it’s also true that some sophisticated attackers will set the laptop aside in favor of a crowbar.
SANS Institute states that in recent years, approximately 74,000 employees, contractors, and suppliers were impacted by a data breach due to stolen company laptops with sensitive information on them – and in each case, the value of the physical asset was not the only loss, but rather the data, which is usually not encrypted. Theft isn’t going away any time soon, and with today’s workforce becoming increasingly mobile, the number of easily-stolen devices will only continue to rise.
In a report by Ponemon Institute released only weeks ago, 42% of security professionals state that they are concerned about their organization’s inability to secure physical spaces containing critical data. Savvy security managers realize that physical controls are just as important as digital, but with talks of ransomware and online attacks dominating the news, administrators can encounter difficulty when getting management’s buy-in to invest in physical security controls and processes. Convinced by pushy vendors that a new SIEM or IDS is the best solution, leadership teams can fail to see that while their network may be rock solid, there’s little in place to keep an attacker from walking through the door and bypassing all of it.
In 2017, the total number of data breaches in the United States reached a new record high of 1,579 incidents spanning 171 million records collectively, according to the Identity Theft Resource Center. This number represents an increase in occurrence of 44.7% compared to 2016. Not all of these breaches utilized a physical attack vector, but a significant number did, and as the number of breaches climbs ever higher, so too do the number of attacks that leverage a physical vulnerability to execute the crime.
Physical weaknesses will always exist. Smart cyber criminals will see organizations rushing to secure their digital fronts while forgetting about the flaws in their doors, windows, cameras, and security guards.
Today’s cyber thieves are using every possible strategy to steal more data and wreak more destruction than ever before. Organizations will do well to remember their real-world security in addition to their efforts on the digital front. With physical access being the trump card that beats every network control, security administrators need to look beyond their routers, firewalls, and server farms to see the doors, fences, lights, and key systems that are often ignored and exploited.
If your organization has suffered data breaches and only thrown more software, VLANs, and firewall rules at the problem, you’re doing a disservice to your employees and customers. It’s time to bring out the risk assessment committee and take a fresh look at your buildings, warehouses, and data centers to see where criminals can get in the door and access controlled areas. Only after you’ve properly assessed both your physical and digital security can you confidently assure your customers that you remain committed to the protection of their information.
Hutter, D. (2018). Physical Security and Why It Is Important. [online] Sans.org. Available at: https://www.sans.org/reading-room/whitepapers/physical/physical-security-important-37120 [Accessed 6 Mar. 2018].
Raytheon.com. (2018). 2018 Study on Global Megatrends in Cybersecurity. [online] Available at: https://www.raytheon.com/sites/default/files/2018-02/2018_Global_Cyber_Megatrends.pdf [Accessed 6 Mar. 2018].