Are You Letting the Bad Guys In?
Security specialist Neil Gibb explains why you need to pay as much attention to your physical defences as you do to your cyber controls.
So, you’ve had your annual network security assessment, analysed the report and followed the remediation advice to the letter. Every system is up-to-date and – like 300 Spartans – your firewall stands fiercely between your network and the dangers of the outside world.
Now you can kick back and relax; you’re secure from the bad guys, right? Unfortunately, no, you're not. You haven’t done anything wrong; protecting your infrastructure from external threats is crucial, but it’s only part of your armoury. What if an attacker gets inside your premises? How hard or easy would that be? And have you tested your assumptions?
In these days of ever-advancing technological security, one immutable fact remains: employees are your organisation’s greatest vulnerability. Criminals know this and are ready and willing to exploit any opportunity to access your assets via your users.
Physical intruders manipulate employees through:
- our natural human tendency to trust e.g. your workers will assume a stranger in the office has a right to be there. They’ll allow someone to follow closely behind (tailgate) and might even hold the security door open for them.
- our fear of being rude. This makes people reticent about questioning or challenging unusual activity.
- our complacency or busyness – employees can’t be bothered or are distracted with 101 other things. Someone else knows about that stranger in the server room – right?
Attackers also deploy advanced techniques e.g. cloning access cards and impersonation. For example, they may bring down your wireless network and appear a short time later posing as an engineer who was alerted to fix the problem. They may also attempt to identify and groom disgruntled employees and turn them against your organisation to provide insider assistance.
Many threat actors are scrupulous about getting to know the target organisation and will accumulate a substantial amount of information without detection. This technique is known as OSINT or Open-Source intelligence. When the attack launches, the criminal often knows more about your business than your average employee does.
What Can Be Done to Lessen the Threat of an Inside Attack?
There are a few things you can do to mitigate the risks of a successful physical intrusion. Train your staff and encourage them to ask questions. Foster a culture where it’s okay to challenge. Make security awareness training part of staff inductions. Keep things fresh with follow-on workshops or other mediums, such as videos, posters and news bulletins.
You can also put your security to the test. Experienced physical social engineering experts replicate attacks and report their findings. The covert insights you gain will give you a clear picture of your risks and the knowledge to remedy them.
In his blog A Day in the Life of a Physical Security Specialist, our man undercover tells how he cracked the physical defences of a major UK financial institution. A policy to harden vulnerable areas of your organisation and robust staff training could be all that’s needed to stop a real attack - and all its painful consequences.
*Neil Gibb was employed by the IT Lab group at the time of writing.