Cyber security professionals often get focused on dangers which appear inside their networks or within company messages, sometimes overlooking physical threats. Laptops and devices routinely leave the confines of network cyber security parameters. In this circumstance, a hacker can easily get physically next to a vulnerable laptop, which may permit firewall rules and DNS Security inoperable to a bad guy hacking into “your” laptop.[1] This is why Wapack Labs strongly suggest linking physical security concepts with current cyber security protections. Squaring physical security with the fact that people need to use their computers and mobile devices for legitimate work outside normal protections, is a current reality.
Researchers report that one in four breaches in the financial services sector were due to lost or stolen devices, while one in five were the result of hacking. Physical security often is viewed as a necessary evil in many corporations, yet remain very important in overall cyber security. The cyber dangers to enterprise data are numerous and often parallel the dangers to any physical assets a corporation and businesses possess. Because these two disciplines parallel each other, yet often remain separate, many IT security groups stovepipe their information flow separate from that of physical security.
Wapack Labs firmly believes there are technical, operational and strategic reasons to connect cyber security in protecting both the data on systems and the physical hardware and office space that surround your prized data. In other words, physical and cyber security need to be working in tandem.
After talking with security professionals, monitoring the security community on social media and publications, and reviewing recent cyber security incidents, we offer some cyber and physical threats and vulnerabilities in this report. Protecting systems from these threats takes a combination of user training, behavior adjustments, and technology changes. Changing some basic security concepts will reduce the risks companies face in our ever-changing technological world.
Physical Security Correctness
Keeping bad actors out of your facility and prohibiting them assess to networks, is paramount to good over all security. Physical security breaches for years have demonstrated the vulnerabilities of human failures along with poor procedures. Poor security policies and procedures, and a lack of training, laxness and even fatigue will create avenues for suspect individuals to enter a facility. A bad guy conducting surveillance for physical security patterns may create a situation that allow the suspect to physically enter a facility.
There is current technology to prohibit such an occurrence, but technical remedies to this issue, cannot stand alone. The human element to any security is always a factor that needs constant attention. A procedural fix is to require each employee and guest to badge in and out of your facility so that every in and out can be tracked (and the two activities can be cross referenced for each person to identify anomalies). Employees must be educated (along with continuing education) to understand that every person walking through a door must use a badge. And additionally, if they see someone trying to enter without proper badge procedures, they must report this to the security department.
The security term of “tailgating,” is a classic security vulnerability regarding the human element of physical security. The “tailgater” simply takes advantage of physics to walk through a door that is slow to close after a proper entry, or directly follows a person properly badged. You now have a potential threat in the building. The motivation for this practice can be a malicious entry or is just plain laziness.
User Negligence
Every year smartphones, tablets, and laptop computers are left in coffee shops, airplanes, taxis, and restrooms. Many users do not do so with malicious intent, yet are easily distracted, in a rush, physically exhausted, or just absentminded. A security plan that does not account for these human conditions is doomed for failure. Procedural/behavioral activities, in some cases, can be effective at minimizing equipment loss. For example, teach search patterns before leaving a location or create "rituals" around packing up and leaving. These will help remind people to look around themselves before leaving a public area. This may sound basic, but training in these procedures really works.
Technology can help too. Demanding mobile device management (MDM) to enforce full-disk encryption on mobile devices and laptops will require log-in authentication to begin a session or to turn on the device. An MDM system can force a remote system wipe, if the device is lost. This will limit an organization's risk to the cost of the hardware, rather than the remediation cost for losing sensitive company network information.
Bad Actors
Laptops are sometimes stolen for their re-sale value, but many times are stolen for the data on that laptop. Bad actors are often lurking in and around parking lots and coffee shops frequented by high-value targets. Recently Russian hackers were arrested in both the Netherlands and Switzerland for lurking in public areas trying to hack into laptops and WiFi systems connected to chemical and nuclear facilities. Stolen company equipment was subsequently found in their vehicles.
Basic security can include proactive training and providing employees with locks, lockable bags, and other tools to help keep devices secure. The human element remains a constant vulnerability, but making it more difficult for the bad guy is another facet in a solid security posture. Physical security medications must include full encryption of devices and laptops. Though the loss of devices, computers and phones that turn up missing or stolen, cannot be totally prevented, but the use of encryption will mitigate the damage.
USB Thumb/Jump Drives
This is an age-old cyber problem. Anything for free, must be suspect as to why a person is giving you a USB thumb or jump drive. “Free” is always enticing and causes some to not think rationally. Training will correct this problem; because people are people, both cyber and physical security professionals should first, employ anti-malware systems which are aggressive, operational, and up-to-date. Then make it easy for employees using USB drives to operate in the proper way. Companies must have systems in place that promote passing “weird” looking USB drives to your cyber security group to scan, sanitize, and return the device to the finder (or rightful owner) in a safe, working condition. Or hit the easy button and discard its use on your network.
USB drives are often the choice of insiders to take valuable information out of a company. This is a very easy way to spirit away information. In 2008, the US Department of Defense banned the use of USB drives in their networks, this due to an infection via this mode of delivery. The ban was later lifted. After this procedure change, both Edward Snowden and Bradley Manning used USB drives to steal sensitive government material.[2] Though these instances are relatively dated in the cyber security world, they are still being employed by insider threat actors.
Some companies actually seal their computer USB ports with glue, yet this has serious ramification which limit operational options band limit the legitimate USB use by both users and IT staffs for diagnostics or system updates. USB drive use can be disabled by IT policy. Depending precisely on which disabling mechanism is used, this could mean changes to the machine's BIOS or modifications to higher-level software (or firmware) that prevent the USB port's operation. If maintenance requiring the USB port is required, the policy can be changed for that maintenance duration, then after reinstated. USB drive activity should be closely monitored and logged, with alerts for any unusual activity. While this might or might not prevent an initial data theft, it would alert the security team to the activity and allow for quick damage mitigation.
Common Sense is Instinct, enough of it is Genius
All of us are endowed with some level of common sense. As the saying above states, enough of common sense demonstrates intelligence. Working inside a secure office setting versus working in a coffee shop, should cause a user’s common sense to kick in. Yet often it does not. The threat level of leaving your laptop open and running in a coffee shop, is way different than the threat level inside your office.
Common sense “should” dictate locking the screen or actually shutting the connection and operation while the user runs to the counter for another cup of coffee. Small behavioral changes can make a huge difference in security outcomes for an organization. All security to include physical or cyber is a constant balancing act between safety and productivity. Your employees need to accomplish their duties, yet must always remain vigilant in over-all security awareness. Many researchers, as well as Wapack Labs, completely understand the critical point that cyber security involves hardware and humans as much as it does malware and networks.
For questions or comments regarding this report, or support with insider threats, please contact the Lab directly by at 844-4-WAPACK (1-844-492-7225), or feedback@wapacklabs.com
[1] https://www.darkreading.com/risk/7-real-life-dangers-that-threaten-cybersecurity/d/d-id/1333326
Comments