Cybersecurity means more than bits and bytes; threats are out there IRL, and IT pros need to be prepared.
Written by Curtis Franklin Jr. at darkreading.com
Cybersecurity tends to focus on dangers that appear on networks or in messages. The attackers may be half a world away, so the threat is the only thing that matters. But what happens when the threat actor is walking through the front door or sitting next to you at an airport coffee shop? Firewall rules and DNSSec can have minimal impact on the thief sliding a company-owned laptop into his backpack and walking out the door.
“If we all took our computers, encased them in concrete, and dropped them into the middle of the Atlantic Ocean, nobody would ever steal our data, but it wouldn’t matter because our data would be on the bottom of the Atlantic Ocean,” says Tim Callan, senior fellow at Sectigo. The challenge, he says, is reconciling physical security with the fact that people need to use their computers and mobile devices for legitimate work.
In 2016, Bitglass reported that one in four breaches in the financial services sector were due to lost or stolen devices, while one in five were the result of hacking. Physical security might not have the glamour of fighting malware writers, but there’s no question it’s a serious component of any effective data protection program.
So what are the physical dangers to enterprise data? Several, but they tend to echo the dangers to any physical assets an organization owns. As a result, some IT security groups leave physical security to the physical-plant security force, but there are both strategic and technical reasons to involve IT security in protecting both the data on systems and the hardware that surrounds those precious bytes.
After talking with security professionals, querying the security community via Twitter, and looking at major security incidents from the recent past, we’ve put together a list of seven threats that definitely deserve attention. Protecting systems from these threats takes a combination of user education, behavior modification, and technology, but remedying the problems themselves can make a huge difference in an organization’s risk profile.
We’ve all seen the case of the accidental doorman: One person opens a door, holds it for the next person – and then the next dozen or so who follow. What we rarely see is that human doorstop asking each person walking through for a badge to verify access privileges.
It takes very little for a threat actor to observe entry patterns around meals, shift changes, and breaks, and to join a large group of people as they habitually walk through a door without individually triggering the lock mechanism. There are technology fixes to the issue, but restricting flow through exterior doors carries its own safety issues, so behavioral and procedural remediation may be best.
A procedural fix is straightforward: Require each employee and guest to badge in and out so that every in and out can be tracked (and the two activities can be balanced for each person). The behavioral component may be a greater challenge, but employees can be educated to know that every person walking through a door must use a badge. And if they see someone trying to enter without properly doing so, then saying something is a must.
Every year, smartphones, tablets, and laptop computers are left in coffee shops, airplanes, taxis, and restrooms. It’s not because users are trying to get rid of their equipment, of course; it’s because they are easily distracted, seriously rushed, tired, or just plain forgetful. Any security plan that doesn’t account for these conditions is going to have difficulty from the very start.
Procedural/behavioral tricks, in some cases, can be effective at minimizing equipment loss: For example, teach patterns to search before leaving a location or create “rituals” around packing up and leaving. These will help remind people to look around them before leaving.
This is also a problem where a technology fix can help minimize damage. Use mobile device management (MDM) to enforce full-disk encryption on mobile devices and laptops, require log-in authentication to begin a session or turn on the device, and use that same MDM system to force a remote system wipe if the device turns up missing. Doing this, Sectigo’s Callan says, limits an organization’s risk to the cost of the hardware — rather than the remediation cost for losing sensitive customers’ personal information.
“Laptops get stolen,” Callan says. “Sometimes laptops just get stolen by people who want to sell them on Craigslist, but sometimes laptops get stolen by people who are trying to get data.” Those data-hungry thieves are often found in the parking lots and coffee shops frequented by high-value targets. So what’s an IT security group supposed to do about it?
The to-do list can begin with training and providing employees with locks, lockable bags, and other tools to help keep devices secure. “People are always the vulnerability, but companies can make smart decisions that make it easier for employees to protect the company,” Callan says.
Those decisions should include full encryption of devices and laptops for a simple reason. As with lost devices, computers and phones that turn up missing (or stolen) can’t be totally prevented, but the damage can be limited. When the disk is encrypted, Callan says, “they order a new machine, they’re out $2,000, and they get on with their lives.” He contrasts that to the unencrypted situation, in which “I didn’t lose a $2,00 machine – I lost every employee’s W-2. That’s a radical difference in terms of how much damage was done.”
Certain birds — magpies and bowerbirds, among them — famously love bright, shiny things. Computer-using employees may be part bird, then, since bright, shiny USB thumb drives seem to have an almost irresistible appeal for many. The question is how to limit the damage without totally clipping their productivity wings.
Once again, changing user behavior is the first line of defense, though it remains tricky. “Training only gets you so far because no matter how many times I train my employees, someone’s going to miss the memo,” Callan says. “Someone’s going to be a new employee. Someone’s going to not think, and they’re going to do something in the moment just because they’re not considering the potential consequences.”
In order to defend against USB Trojans, security groups should do two key things. First, make sure that antimalware systems are aggressive, operational, and up-to-date. Next, make it easy for employees to do the right thing: Have a system set up so that magically appearing USB drives can be brought to the IT security group, scanned, sanitized (in every sense of the word), and returned to the finder (or rightful owner) in safe, working condition.
The USB thumb drive giveth (malware), and the USB thumb drive taketh away (data). With thumb drives the size of fingernails commonly available, there’s no more convenient way for a thief to walk off with a database than to transfer it to a USB device and head out the door.
Some organizations use the “nuclear option” and seal USB ports with epoxy, but that approach has consequences because it limits peripheral choices and legitimate USB use by IT staff needing to run diagnostics or system updates. There are better ways to control USB use, and security should explore these possibilities.
First, USB drives can be disabled by policy. Depending precisely on which mechanism is used, this could mean changes to the machine’s BIOS or modifications to higher-level software (or firmware) that prevent the USB port’s operation. If maintenance requiring the USB port is required, the policy can be changed for the duration, then reinstated.
Next, USB drive activity should be closely monitored and logged, with alerts for unusual activity. While this might or might not prevent an initial data theft, it would alert the security team to the activity and allow for quick damage mitigation — something lacking in far too many incidents.
Tailgating is one of the classic physical security vulnerabilities, and it differs from the “etiquette” vulnerability discussed earlier because the employee properly entering the premises often has no idea that a violation has occurred. The tailgater simply takes advantage of physics to walk through a door that’s slow to close after a proper entry, and suddenly a potential threat is in the building.
Once again, employee training and behavior is key in most instances in which a permanent security guard at the door isn’t feasible. In addition, IT security groups have to be aware of a second type of tailgating: the “log-on tailgating” that can lead to unauthorized access to systems.
“The employees have to cooperate because, if I leave my laptop unlocked where any stranger can go use it despite the fact I’ve been told not to, it’s kind of hard for the company to do anything about that,” Callan says. Teaching employees to log out or lock the system, even if they’ll only be away for a few minutes, can be a solution, as are systems that use proximity badging as a second factor for logging in and out of sensitive systems.
Employees walk away from their computers. Whether the system is sitting on a desk in an office or on a table at Starbucks, it’s rare that its owner never leaves the keyboard. The key is making sure employees understand that the threat level of a muffin run at that coffee shop is different than the threat level in the office.
“I might decide to let my computer sit on a desktop while I run over to the other side of the office to do something,” says Callan, who admits to leaving his computer visible on a table while getting a second cup of coffee. “[But] if I was in a coffee shop, I wouldn’t leave it running. I would lock it.” Those small behaviorial changes can make a huge difference in security outcomes for organizations.
All security, physical or cyber, is a balancing act between safety and productivity because, ultimately, people have to be able to do their jobs. “There’s always this vulnerability that we’re never going to get around, which is the big, giant mass of cells that’s sitting in front of the computer,” Callan says. “If you can fool that person, you can get into anything because, at the end of the day, we have to give people access.” The critical point is understanding that cybersecurity involves hardware and humans as much as it does malware and networks.
