I read a Wall Street Journal article last week about ways companies test their employees’ awareness of cyber security. The article mentions what they call “ethical hacking” techniques, like sending employees an email that persuades them to click on a link to a malicious website or to open an attachment that contains a virus. What the article really discusses are methods of good ol’ social engineering, only using email as a communication platform. It’s a timely issue, and an important aspect of information security to keep in mind.
In the scenarios described, outsiders attempt to exploit the ignorance or negligence of insiders to achieve access to a company’s network or facility. In the security business, we call this penetration testing. When done correctly, it is used to diagnose gaps in a physical or network security system.
I believe there is an underlying theme that the article does not mention outright that warrants some extra attention. The scenarios discussed in the article describe penetration testing that exploits gaps in cyber AND physical security. The important thing to remember here is that the bad guys who are trying to get into your building or your network don’t care whether you classify a protection measure as physical security or network security. They are looking for gaps, plain and simple.
Technology and automation are increasingly blending into physical security, which means that gaps in a network are more frequently creating ways to physically get into a facility and vice versa. For example, CCTV can be outfitted with video analytics software that recognizes a suspicious activity and triggers an alarm. If someone can hack into the network and disable the video analytics, the alarm is disabled as well.
As software applications improve, many companies are moving toward Physical Security Information Management (PSIM), which makes the various applications that handle their physical security (e.g. CCTV, access control, locks and alarms) even more integrated and therefore more prone to exploitation.
There are two big reasons why this convergence of physical and cyber security should matter to a business.
First, at many large corporations, the group responsible for physical security and the group responsible for network security are separated. When I say separated, I mean separated in the company organization chart, reporting chain, philosophy and focus. And they shouldn’t be. I have even seen real world examples of these two groups within the same company subverting each other or actively avoiding cooperation with one another. I have many theories on why this occurs so frequently, but that is a whole other blog post.
My point here is that these groups need to work together in order to address the modern threats that seek to exploit both physical and network gaps. And by working together, I do not mean hosting a lunch get-together once a quarter. Physical and network security should all report to the same person up at the C-Level. When a company achieves this, it is much more prepared to address the way in which adversaries target its weaknesses. Those companies are more prepared because they have a more comprehensive understanding of relevant threats and have proactively established communication procedures for crisis management.
Second, many companies that I have worked with are concerned with either physical OR network security. They should be concerned about both.
I disagree with the gentleman quoted in the WSJ article as stating that security awareness is a waste of time if you design better networks. A highly secured network won’t stop an employee from letting someone tailgate through the door (unless a company can afford high security revolving doors). There is not a network security tool around that can protect against an employee wandering away from their desk and leaving their computer logged into the network.
I have seen backup servers sitting in unsecured rooms, where any person in the building could walk in and insert a flash drive to either steal information or introduce a virus into the network. You can have the best and most adept network security available, and it will not prevent someone from taking advantage of gaps in physical security.
Cyber security is currently getting the top headlines, and it is good that people are concerned about it. They should be. My point is that the only truly effective approach is one that considers all possible gaps, both physical and cyber. If you spend all of your time and money only worrying about the “cyber” part of your company’s security instead of focusing your security resources on closing all of your security gaps, you are leaving a door wide open somewhere. And the bad guys really are not concerned with which department is assigned to keep them out.