Physical Security - The overlooked element of Cyber Security

Companies are working to secure themselves from digital threats, the Cyber Security buzzwords are flying around and there can be a checklist that looks similar to:

• Anti-Virus

• Patching of OS' and Third-Party Apps

• Cyber Security Awareness Training

• Network Monitoring

• Zero Trust

And many more that exist, one that can frequently get overlook

ed in the physical security aspect.

What considerations are there?

Asset protection is a key part of Cyber Security, you need to protect your devices from physical threats as well as digital ones.

Just imagine the harm that could be wrought if someone got hold of one of the following:

• Key laptop/desktop

  • IT Engineer laptop with passwords saved?

  • CFO laptop with sensitive financial information?

  • HR laptop with employee's PII?

• USB Drive with a backup of key information?

  • Passwords/Keys

  • BCP Plans

  • Intellectual property

• Server hard drives

  • Backup drives

  • Primary drives

  • Old drives with passwords that are still in use

• Printouts/Hard copies

  • Printed out configuration files that may contain all information required for an attacker

  • Documents which describe all your internal workings

• Other devices/data

  • Photographs of whiteboards

  • Smart boards

  • Tablets

When you start looking at your assets you will likely come up with a list of things that may cause the company some damage if someone stole them or even had access to them.

So what can be done to manage the risk?

Access Control and logging:

A lot of small/medium companies have one alarm code, with keys and code being given to all staff meaning there is no way to be sure who has been in. Has the key been copied? Has the code been leaked? do you have malicious staff?

The way to resolve this will be to implement access control which has a sufficient level of logging so that you can always follow up should something go wrong, this will also help provide evidence should this be a matter that is taken to Lawyers or Criminal court.

Implement Policies:

Some staff will try to use the lack of policies and rules to get around security, you will want to make sure policies are implemented and signed agreements for all staff are obtained. These should include (to name a few):

• Clear desk policy

• Clear whiteboard policy

• Server room access policy

• Site security policy

These are a few, these should be tailored to your company and the needs to maintain operational capability - but remain robust enough to pursue charges should the event be serious enough.

Security Cameras

There are many security cameras out there, we won't go into the basics around cameras as that should be obvious to all who are reading this but we will mention considerations around which camera functions you may want to look into.

• Robust logs that can be exported

  • These should show time and date stamps, be clear images that can be effectively used.

• Searchable footage

  • Being able to search footage for relevant time and dates without having to 'scrub' through the footage

  • Ability to search on characteristics of a car or person

  • Ability to track a Person or Vehicle of interest

• Alerting capability

  • Be alerted if someone accesses a site out of hours

  • Be alerted if someone who has been trespassed is seen

  • Receive an alert for a registration plate that is recognised

• Integration capability with existing cameras

  • We know that replacing a whole security camera system is costly, so choose a solution that lets you improve key areas first and upgrade the rest later without losing a beat.

• Other interesting considerations

  • Crowd detection - be advised when crowds form which can help you be ahead of any problems

  • Traffic detection - as per the crowd detection, but for vehicles so you know of any issues

  • Live sharing - Send a link to Police/Security immediately so they can see what is happening live, this really helps in apprehension of suspects.

  • Integrated with other elements of your security system, you can then use one logging tool to see all the relevant activity.

Password Management

If a digital asset is compromised you will want to change key passwords or secrets, with the right tool these can be managed immediately and remotely to secure your systems before they get compromised. This will obviously require some work with your IT team to ensure the capability is in place and tested, but once it is you will find you are very comfortable when things go wrong as you can manage the risk with immediate effect.

Visitor logging

Visitors can be a bit of a headache to manage, but with the right system in place you can ensure they are logged in and out as they leave with options to ensure they accept policies for while they are on site.

This will ensure they accept that they are being monitored by cameras, they are not allowed to access restricted areas or information and are not to take anything from the company without express permission.

This also helps with evacuation requirements during fire alarms, your fire marshal will be able to see exactly who is still in the building.

Security Assessment

Companies should get an outside agency to check their security, internal teams are usually very busy so can sometimes adopt a 'That'll do' approach which can be leveraged by a malicious actor. An outside company will look for these and make a report highlighting critical items to fix and potentially recommendations on how to fix it.

This will cover items such as weak structural points, blind spots in camera coverage, weak access control, untidy desks and work areas, lack of protocols/procedures, whether their actions through the building can be traced and exported in a suitable manner (and how much time this takes) and much much more.

Scenario:

So now we have gone through the considerations, how does this actually benefit you in the real world? Well there are so many real scenarios that have happened we will pick an old fashioned breach that has recently been seen to have an increased use as an attack vector.

USB sticks! The old days of hacking had malicious Floppy's, CD's, DVD's, USB drives and other peripherals with malicious code hidden in some imaginative way. These were used to great effect to put in back doors to systems, drop simple viruses onto systems or keyloggers etc..

This was an old method, but USB drops still occur today around the world! Trying to take advantage of a curious employee, or a helpful employee, they drop a malicious USB around the building they want to target and wait for an employee to plug it into a computer. If you are lucky, the firewall you have installed will block any traffic, your anti virus will find the malicious code and block/remove it, your IT team have disabled USB ports (or restricted it to just authorised devices) and this is not an issue.

If you do not have those things in place, your employee has allowed the hacker to bypass all your security consideration. It should also be noted, hackers come up with creative ways to bypass all the good security too! So this method can prove to be an ongoing issue, allowing remote access, ransomware, destruction of data, spyware and more to end up on your system.

Even if you have a system completely off the network (air gapped) to avoid the threats from the internet, if someone plugs in this USB to the computer - you can find files being deleted or encrypted and a lovely ransom demand pops up.

So this is one simple thing that can be handled by Policies and restricted access to sensitive systems.

So who can help?

Well not to toot our own horn, but at SecuriKiwi we have some great partners and great discounts on the tools! We can help design something that fits your budget and needs - as well as provide advice and guidance with ongoing support.

We can also assess your company both digitally and physically - just discuss your needs with us and we can offer a no obligation quote.

Summary:

So in summary, Physical security is a very large part of Cyber Security and covers threats from the mundane to the criminal level.

It should cover external and internal threats, both intentional and accidental.

You should ensure you have the tools you need to take things further if required (we all hope this never happens but this is why we have insurance for cars and homes!).

Get in touch if you would like to discuss this further! We are always happy to help out with securing your business!