Security (defined as the activities involved in protecting a country, building or person against attack or danger) has many prefixes. Placing national security to one side, cyber-security reigns supreme as the leading threat to virtually all organisations, irrespective of its industry or market sector, and there is no shortage of prey.
The digital food chain
The digital food chain has its predators. At its apex, Hostile Nation States and their proxies use an array of sophisticated technologies, enabling advanced persistent threats, leveraging privileged access through emplaced imposters or moles in strategic locations, seeking to create an adversarial advantage, potentially in advance of future cyber-combat. Cybercriminals utilise a myriad of vulnerabilities to encrypt and manage stolen data, holding organisations to ransom and demanding money for its release; there has never been a greater pressing need for ransomcare, with an average global payout of £1.2M.
Hacktivism, or the act of breaking into a computer or system for political or social reasons, is closely related to cybercrime, often intent on the direct distributed denial of service to an organisation or, increasingly, its supply chain. Regardless of the intention, level of skill, or motivation of the threat actor, physical security is a constant and frequently ignored attack vector and a fundamental part of a comprehensive security posture.
The cyber lexicon is vast with innumerable acronyms and abbreviations; some relate to professional qualifications or positions, others to define Something-as-a-Service. However, the majority relate to a method, strategy, or procedure that outlines a virtual task carried out to safeguard a system, network, location, or individual from dangers, threats, or vulnerabilities. But how many could also describe a physical defence mechanism against a variety of real-world dangers that could be utilised to attack weak points in non-digital systems?
Real time security alert analysis
Security Information and Event Management, or SIEM, combines software products and services to provide real-time analysis of security alerts generated by applications and network hardware. Information assurance personnel, cybersecurity engineers and analysts can use logging data to perform critical functions, in real-time, in response to an incident. Similarly, a firewall is an analogous network device that monitors incoming and outgoing traffic and decides whether to allow or block specific traffic based upon a defined set of security rules. So, what physical security measure would be comparable?
Physical defence barriers
The first line of physical defence is a defined barrier which serves as the first and front line of any functional security system. It serves to deter or delay a would-be intruder from gaining physical access to a building or premises. This physical barrier is broken only by pedestrian or vehicular access (provided its well-maintained). Much like a firewall, access to and through this physical barrier is by a defined set of security rules, allowing or preventing traffic as necessary.
Intruder detection systems
But who or what is monitoring this activity? How is an incursion identified, what is the incident response? Information pertaining the origin and location of the event could be managed by Intruder Detection systems (IDS), active CCTV or the presence of a man guarding service. But whilst many businesses have CCTV installed, few are regularly maintained, arcs of cover can be obscured by vegetation and many do not have an active response, merely serving to inform post incident. In this regard, the CCTV system becomes largely redundant. Similarly, IDS can only be of service if there is a timely and proportionate response to an activation. What good is a third-party security service if a response is measured by ‘best endeavours’?
Access control systems
Another common techno-physical security measure is the utilisation of access control. A fundamental component of data security that dictates who’s allowed to access or use company information and resources. Through authentication and authorisation, access control policies ensure users are who they say they are and are permitted to access company data. Access control can also be applied to limit physical access to buildings, specific rooms or areas of increased sensitivity.
However, ill-fitted access control readers, or those to which internal access can be made, present the opportunity to conduct a man-in-the-middle (MITM) attack. Utilising an Extensible Firmware Interface System Partition (Or ESP) reader, intruders can capture, record and store forward authenticated card data. The device is capable of logging the credentials for access control systems or nearly any device that utilizes a Wiegand Interface such as RFID card readers, pin pads, magnetic stripe systems, barcode, and even some biometric readers.
On return, the information can simply be replayed to permit access. Worst still, access card information can be elicited directly from the card itself. Targeting employees and their daily patterns will often provide an opportunity to use simple devices and near-field communication (NFC) to snipe data and re-write to a surrogate card, and there are many instances where valuable information or data pertaining to security or access can be discreetly gleaned outside of an established security structure.
People are creatures of habit; they will often take lunch at one or two preferred eateries and will almost certainly sit in the same one or two places. By understanding where and when a target will be provides the perfect opportunity for an attacker to mount an NFC data grab. Once acquired, it can be copied to a clone card and the same privileged access afforded. A cultural reset of physical security is essential, no one has yet found a truly reliable way of patching a human, and human error remains the biggest challenge to the maintenance of physical security best practice.
Physical breach consequences
It is true to say that the likelihood or probability of a physical breach is low, but the threat is far from negligible. A failure to consider all security threats in sequence rather than in parallel continues to perpetuate the gulf between cyber defensive and physical defensive measures. What good is multi-factor authentication, software-defined segmentation and 256-bit encryption if inadequate physical security measures allow unfettered access to your server room?
The consequence of an undetected physical breach against your network or systems far out ways that which may be detected digitally in response to an emerging threat or incident, as with access to hardware, cabinets or server stacks, a threat actor could circumnavigate cyber security measures that may be in force.
Even in instances where these measures are superior and do not permit nefarious cyber access, access to hard copy documentation and corporate computer systems can still be affected, not to mention the plethora of cheap audio and video stay-behind devices that could be secreted into the buildings construct, allowing for the capture of authenticated log in credentials by example.
Data centre security threats
A data centre or store is any place that stores data; why then do so few organizations give physical security the same priority? A wonderful illustration of how all security threats are being handled simultaneously is the use of layered security approaches and data centre security by design. Use any Data Centre risk assessment template as a guide and the importance of physical security will be evident.
The probability of a physical breach can be considerably decreased by a strong physical barrier reinforced by deter, detect, and monitor technologies, strong locking mechanisms, and an equally strong reaction plan. Organizations can no longer solely concentrate on cyber security without realizing the integral and vital role that physical security measures play in it.
Preparation is critical to optimise their Physical Security frameworks to effectively identify and respond to cyber security threats, malicious actors, physical breaches, and internal & external risks.