February 21, 2020
As physical security systems increasingly merge with cyber, they are becoming more vulnerable to attacks. In many ways, physical security systems have become cybersecurity systems due to their interconnectedness and reliance on IoT architecture.
In an upcoming session at ISC West, presenters Terry Gold and Valerie Thomas will walk the audience through a hacker’s playbook from the inception of scoping the physical environment to assessing where and what to attack.
In a preview of the session, titled Protecting Physical Security Systems from Cyber and Human Threats, ISC News caught up with Gold for some details on how physical systems have become more sophisticated and what that means for their protection today.
You’ve said that hackers don’t go in cold to targets. They use OSINT (Open Source Intelligence). Can you explain what that is?
Well, some clarification. If it’s a targeted attack, then generally the more targeted, the less likely they are going into it cold. There are situations where attackers are looking for the low hanging fruit, and just hoping for least level of effort and reward. However, the more specific the target and result, the more planning is more likely to occur.
OSINT would be the first step. The easiest way to think about this is any information that can be obtained about the target outside the corporate firewall or authorized possession. This can be from social media, open web, deep web, or even the target’s own website. It can be ANY type of information they can leverage to better understand their attack surface (layout, people, events, methods, etc.). Many physical security professionals don’t think they have OSINT out there, but everyone does, to some extent. Corporate locations, addresses, their function, even things that have a purpose to be public can be used as intelligence.
This session will go through the types of OSINT, how and where it can be used, tools used for discovery, and examples of how they can be used in conjunction with other methods to do things that professionals never even think of. This is largely a session that takes the audience through the real-world application for end users, not talking heads going through bullets and theory. My co-presenter, Val, literally wrote a book about this stuff and gets hired to do this every day as part of her red team engagements.
When people think of “hackers” they often think of people that exploit computer systems. But this session is about physical targets. What kind of physical targets do you hackers go after?
Well, remember, physical targets are now monitored and controlled by electronic systems, and they are pretty much computer systems, not too different from those in IT. They have networks, operating systems, web servers, APIs–aside from the specific application layer logic, tell me what’s different? Therefore, hackers can use existing skills to exploit physical assets/locations through the systems end users rely upon as controls. Same deal as what they do to access digital information. And remember, I may be after digital information in the physical systems, not necessarily to defeat a physical control and enter into a location.
Alternatively, if we are dealing with mechanical apparatus–mechanical locks, key management boxes, etc.–then they may be targeted to exploit digital IP that resides in an IT system. Hence, anyone thinking about the physical space being so different from IT that it’s harder or less desirable to exploit is operating under a mindset that will leave them quite vulnerable.
Do businesses consider physical security enough as part of their data protection strategy? Should they?
Should they, yes. Do they, sometimes. Beyond this, when they do, too often it’s done poorly because they fail to properly define the attack surface. I find this is mainly due to the fact that InfoSec generally doesn’t understand how physical systems work. So how they can be exploited is overlooked. I’ll give you a couple of examples:
- A Fortune 500 company pays a red team to exploit physical security. They find a couple issues, and are able to steal millions of dollars electronically, which was the goal. However, I’ll get a briefing and quickly realize that they missed a few critical things that could have given them greater access, quicker, or just made it easier. They didn’t know certain things about physical systems, so they wouldn’t have thought about a couple other attacks.
- PCI Level 1 generally governs high security objectives that are audited by QSAs. An item in PCI called for “card key access” to data center ingress points. QSAs generally mark this as “pass” when auditing when they see a door reader. However, PCI doesn’t define a minimum-technology criteria–this could be mag, 125 khz, or a compromised high frequency card. IT never gives it a thought and physical generally doesn’t review the QSA report nor are they consulted.
IT and Infosec need to work together, but if they don’t understand the targets, how they can be exploited, it’s just an exercise that probably won’t have results unless the only expectation is to fair better on low hanging fruit actors/methods.
The first part of this two-part session will take place March 18, 2020, 2:15 PM – 3:15 PM in Sands 304 at ISC West, March 17-20 at the Sands Expo Center in of Las Vegas.