“Physical Security in A Cyber World” proved to be one of the most interesting panel discussions during last month’s ASIS International Annual Seminar & Exhibits in Anaheim, California. It featured a mixture of end user, manufacturer, cyber security consultant, and physical security consultant insights that together provided a multifaceted view into the complex security issues involving cyber and physical overlap. Hosted by Convergint Technologies, the panelists were Mike Taylor(Executive Director of Global Security at Sony Pictures), Josh Mayne (CEO of Obis Operations),Steve Wagner (President of Mercury Security), and me.
The key to success in cyber security is people. While much is commonly proposed and debated regarding technical protections and vulnerabilities, people remain a common element in the majority of system compromises. This point became elemental and really driven home as a common and overarching theme within the group’s discussions. To develop successful performance, organizations must keep the “human factor” in mind when designing Physical and Cyber security systems. The adversarial tactic known as “Social Engineering” remains a very effective means with which to initiate cyber attacks. Either a “trusted” insider who may be disgruntled and is fully witting of his/her actions, or an unwitting insider vulnerable to manipulation by an adversary can do devastating harm to networked systems.
Cyber protection measures can incorporate technical Cyber and Physical Security features, however consistent application of protection measures is often lacking. Even when applied, these measures do not guarantee success but there are some common practices that can be employed to improve the odds:
- Validate and regularly update the security integrity of your workforce. This is a sensitive issue within commercial corporate culture. However, having a formal vetting and background security update procedure in place works. Case in point: the U.S. government has a long record of regularly updating workforce security integrity, and has a record of positive results particularly in high-security arenas. The personal and professional pressures faced by employees in critical areas change over time. Like it or not, these changes impact risk of security system compromise.
- Perform regular detailed risk assessments. These assessments should include both physical and cyber experts in the process. Cyber and Physical assessments are all too often performed separately, leaving potentially dangerous gaps in the assessed situation and protection solutions.
- Actively manage and update network, database, and system user permissions. Terminated or deceased employees should never be found in active permission listings. Unfortunately, this (bad) example happens all too often.
- Audit access activities, flag usage anomalies, and promptly forward events to people within the organization who are charged with investigation and response. Be proactive in identifying high-risk behaviors, instead of waiting until the breach occurs and the damage has been done.
- Treat physical security systems as integrated solutions involving people, process, and technology. All three elements require design, application, training, and ongoing maintenance.
- Learn from the past. A classic example of a successful attack that bypassed physical security systems to gain significant cyber benefits involved simple brute force. A group of thieves drove a heavy vehicle through the wall of a company’s unattended, on-site data center, removed several racks of servers from inside, and drove off in another vehicle. Since they avoided all the doors and common entry paths, the access control and alarm systems didn’t detect anything. Instead, it was the Heating, Ventilation and Air Conditioning (HVAC) system that detected an anomaly and triggered the alert.
- Face reality. Security is rarely the Number One priority for a company. As a security leader, investigate the “currency” of highest importance within your company and see how it relates to cyber and physical protection. These “currency” trends can vary from emphasis on operational efficiency or cost reduction, openness of culture to stimulate technical innovation or worker congeniality, minimizing of inconvenience, increasing network uptime, limiting of legal liability, or even actual security (executives are increasingly emphasizing the need for better cyber security). Security leaders who understand the corporate “currency” are best positioned to posture security measures in ways that will gain the attention of the organization and improve the overall level of protection.
The “Bad Guys” are always getting smarter and more sophisticated at exploiting weaknesses in information systems. Hardly a week goes by, that we do not hear of another serious cyber breach. No matter how technically secure you might think your security systems are, the “human factor” remains the strongest threat and the weakest link. Ensuring that the soft procedural elements of a security program are understood and addressed will significantly improve the effectiveness and efficiency of your technical security systems.