Information security – let’s get physical

In the past few months, I have visited a variety of medical facilities, some as a risk management professional, and others as a patient. While I am confident that these practices had implemented a variety of data security measures, in almost all cases, their physical security suffered from obvious challenges, even based on casual observation. Examples of issues included lack or surveillance cameras, unprotected medical records, and unlocked doors controlling sensitive areas.

I suppose in once sense this is not surprising. With major incidents involving malware, ransomware, and network intrusions making the national news weekly, organizations are understandably focused on data security. Unfortunately, some of these same organizations have not kept up with advances in physical security and in some cases I suspect they have regressed.

The consequences of a breach in physical security can be at least as devastating as a data security lapse, and in some cases, far worse. One recent example, the theft of critical information from the National Security Agency (NSA), has had far-reaching consequences. While details of this incident are still sketchy, sources at the NSA have said that the theft resulted from an insider with sensitive access simply walking out with a USB drive loaded with data. The exploits stolen have been involved in many well-known network security incidents, including WannaCry, NetPetya, and most recently, Bad Rabbit.

Despite the tendency to consider physical and logical security to be different disciplines, it is increasingly clear that integrating the two can be very advantageous. In her article for CIO, How Integrating Physical and Information Security Mitigates Risks, Kim Nash states the case for integration quite well: “At many organizations, physical and information security remain separate entities by happenstance and by history. By integrating the two, however, companies can better protect the assets, employees and valuable data that keep the business going.”

Consider some examples of how physical and logical security incidents can be closely related:

• While many aspects of an organization’s network are contained within their physical walls, the signal for the wireless network used by virtually every company today go well beyond those walls. A bad actor, sitting in a car in the company’s parking lot, can use various vulnerabilities to penetrate the network. With the recent discovery of Krack WPA2 vulnerability, this is even more troubling. Even more fundamentally, someone, such as a contractor, repair technician, or authorized visitor, can simply plug a laptop into a physical network port, many of which are active even when note used, and have full network access.
• A bad actor can often obtain a password, just by calling a company’s help desk, and pretending to be a valid user.
• Access can be obtained to a facility controlled by a badge access system by using easily obtained hardware components costing $10, as demonstrated at Black Hat in 2015.
• Many data theft incidents happen each year because of lost or stolen devices. A software company I worked with a few years ago had a significant loss of customer information, because three employees, visiting a customer site together, ate together at a restaurant, with their laptops in the trunk of a rental car. Based on video recordings, a thief, who apparently realized that the car was a rental, took the three laptops out of the trunk unseen, in less than a minute.

If we are to have a chance of securing an organization, we must think holistically about security. This involves integrating the physical and networks security functions of an organization, by having those employees involved in each area working in tandem to address issues. In my experience, achieving this integration is quite difficult in many organizations. The training and experience by the individuals in each discipline are often quite compartmentalized, with an organizational structure that promotes this separation. To succeed, we must begin to break down this compartmentalization. Some suggestions for achieving this include:

Combined management

One option that can be used to ensure that the physical and data sides work together is to put both under a single management structure. The Chief Security Officer (CSO) can be a practical role under which to combine these.

Joint assessments

When assessing a facility for security concerns, include both physical and network security personnel. They will each spot issues within their own disciplines, and in the process, help to educate those in the other discipline.

Cross-functional internships

One approach that can be helpful is to have a physical security professional spend time with the information security team, and vice versa. This not only helps to educate professionals on both sides, it also helps to appreciate the challenges the others face.

Use a performance-based approach for each

In the information security discipline, we are accustomed to capturing and using metrics to identify successes and gaps in the program. The physical discipline is not nearly as likely to take a measured approach. In their publication Physical Security and Why It Is Important ,the SANS Institute sums it up well: “Data can be used to make informed decisions to lower risk in the most cost-effective method. Without these metrics, the security program will not be able to effectively manage security controls.”

Bottom line – securing an organization in today’s environment is extremely difficult as it is. If we fail to leverage the combined power of both logical and physical security, we cannot possibly succeed. If we can successfully break down barriers and combine them, the implications for security improvements are huge.