‘There’s No Such Thing As Cyber, If You Don’t Protect The Physical’

October 27, 2016

The 5 Real World Things You Really Do Have To Keep In Mind To Secure Your Virtual World: Verify Credentials, Have Pinch Point Admission, Validate Vendors, Implement Physical Access Protocols To Devices, and Be Able To Trust Your Staff

In the aftermath of the unprecedented DDoS attacks on DNS provider Dyn, by hackers using an estimated 100,000 infected devices, there’s been a dramatic interest in cyber-physical devices and the vulnerabilities of the almost omnipresent Internet of Things we now inhabit, and in keeping ourselves digitally secure: We change passwords, we have secure networks, and we put double validation processes in place for online access. We also spend a lot of money protecting the copper wire — the fiber-optic wires that come into a building and attach to the network or the Internet.

The problem, according to Biometrica CEO Wyly Wade, is that we don’t spend that same quality time protecting our doors, or actual building infrastructure. And we should. The Biometrica Blog Team (BBT) sat down with him to get an understanding of the 5 basic things you need to do in the physical world, to protect your cyber systems.

BBT: You’re starting with a basic premise, that cybersecurity measures are of little use if someone has physical access to a building.

WW: Yes, once I walk through the front door, and once I have physical access, I could, potentially, pretty much own you. Everybody is very focused on the cyber aspect of things, and typically think of cyber as being something in the cloud, or something that comes across the Internet. For the most, people think of a hacker as someone remote, or, as Mr. Trump put it, someone in Russia, China, or, “some 400lb guy sitting on his bed.” Quite frankly, that’s really not the attack surface. It is very hard to crack cryptography, and despite the attention it gets when it happens, it’s not easy to find all the weird bugs in software.

But people do it.

Yes, of course they do it, but it’s not very easy to do it. Let’s keep aside the foreign-agent-on-a-mission angle for a minute. But aside from that, it’s easier for me, as your local neighborhood hacker, to walk into a building and act like I belong there and never have a credential checked, or steal an insider’s systems access to get entry.

It's easy enough to gain access to a network in an unmanned office. © Pavel Losevsky | Dreamstime.com
It’s easy enough to gain access to a network in an unmanned office. © Pavel Losevsky | Dreamstime.com

What happens once you have physical access to the place?

I watch. People get up and walk away from a terminal for any number of reasons, and when they’re in their offices, or comfort zones, it’s not all that difficult to casually gain access, if you look the part. I can plug into a network port. I can plug a USB key into an unmonitored computer and download something. That’s all it takes. And yes, I can pick up those credentials that give you access to an internal network, and gain access — but it’s gaining physical or other access to credentials of someone with access to a network. It’s the easier route if you’re someone with mischief on your mind or mala fide intent.

That last part, gaining some kind of access to the credentials of someone with network access is what reportedly happened in the Target case. Someone installed malware in their payments system by stealing credentials from an HVAC vendor.

That’s what’s been extensively reported, and it’s what probably happened, according to most reconstructions of the hack.

What about the OPM hack?

Well, the OPM hack was different, and more a case of bad software design. If a system is protecting our national secrets and national security, or the personally identifiable information of our people, as the case might be, it shouldn’t be possible for nation-state actors, some mysterious group somewhere, or any kind of APT (advanced persistent threat) to break in remotely and sit undetected on a system’s network for months on end. And if they get in, they shouldn’t be able to access everything, your system should be able to have workable access controls in place.

So hacking does happen, we know that.

I’m not claiming we don’t have cases when people gain illegal access by making use of vulnerable software or gaining entry through someone on the inside clicking on an email link they shouldn’t have clicked on and letting malware in, and then using that to gain access to someone else, like at Target. Those attacks make the news and they do exist. But we spend lots of money securing that stuff, just look at the number of everyday attacks that are repelled; we don’t spend a lot of money securing the simple things that we can secure. Most companies have a policy in a book someplace that talks about who has the right to be on their premises and who doesn’t. But it’s rarely ever enforced with all seriousness, largely because a cultural change that’s needed to do that enforcing.

Well, you need to have a pass or some kind of clearance to get into most government buildings.

True, for most government buildings, but not most corporate offices. And not all government buildings, especially at the local or state level that expect members of the public to come in, check your credentials as thoroughly as they should be checked, all of the time. There’s a great video on what RedTeam Security, a very interesting group of guys, a group of white hat hackers, did while breaking into a substation to access a power grid, and plugging in a plugbot, a covert device used for physical “pentesting” or penetration testing. That’s a quasi-governmental organization and they made it in.

There should be a way to identify people on a blacklist. © Magotisgod | Dreamstime.com
There should be a way to identify people on a blacklist. © Magotisgod | Dreamstime.com

What could the organization have done?

There is technology that can fix that, including biometrics that can stop, or at least notify you when someone that is on a watchlist or a blacklist, or is unauthorized to have access, is entering the building. We don’t always use the technology available that way or think about it that way, but I think it’s changing. Still, the process should be to credential properly, and verify those credentials with a biometric marker, so that anyone that enters your premises or facility is properly identified.

Just because you have an RFID card, it doesn't mean you're the person authorized to hold that card. © Iwo S | Dreamstime.com
Just because you have an RFID card, it doesn’t mean you’re the person authorized to hold that card. © Iwo S | Dreamstime.com

And you’re saying that’s not the case right now?

Right now, the vast majority of offices here use something called a proximity card, or a proxy card, which has a little RFID chip in it. It’s relatively easy to copy one of those cards. But even if I don’t copy it, if I get hold of it, through someone being careless or anything, I can get through that door. There’s no validation that the person using it is the person authorized to carry it.

That applies to more than your office access, it should apply to hotels and retail stores to. You should know who the potential customer or patron entering your building is.

It’s not very different from the Know Your Customer needed for, say, banks or financial institutions. Historically, financial institutions in this country and elsewhere really resisted asking the “Am I who I say I am?” question. What they would do is try and validate that the social security number you provided is attached to the person that you said you were, and then asked you a standard bunch of questions about things only you would know. But if I, as an intruder, had already stolen your identity, I would already know the answers to those security questions.

But if I knew enough to take your ID, I should have some of those answers.

True, by that point, it’s relatively simple for me to take an educated guess as to what those answers are, without you actually validating you are who you say you are. That was part of the whole impetus of Aadhaar, the biometric identification program implanted by the Indian government, which now has more than a billion people enrolled in the system. It’s also part of what we’re doing in Biometrica, helping our customers, validate you are who you are and that the ID you are presenting is a valid ID.

Let’s move to another question, restricting physical access.

Most facilities should have a single point of registration of entry and exit. This doesn’t mean you don’t have emergency exists, but in the normal course, force everyone to go through pinch points, that way you have everyone walking through a particular area where you can validate their credentials, whether it’s a building, a facility, a floor or anything. You have to be able to link it all back to you are who you say you are. How easy otherwise, would it be for me to register as an HVAC guy or some kind of tech and walk into some building. It’s not hard at all, it’s all about confidence really, at that point.

Don't let vendors past the front desk © Monkey Business Images | Dreamstime.com
Don’t let vendors past the front desk © Monkey Business Images | Dreamstime.com

So then we come to validating the vendors.

It is one of the biggest issues around. If I show up and say I am X, Y, or Z, from ABC HVAC or whatever, people often say, yes, and just let you in, especially if you’re a familiar company to them. It’s not very hard to get an idea of what company services you, if you look around. What your security team or front desk should be doing, is that if someone is not already on a scheduled call to enter the building, in a notification from the building’s maintenance people, call up maintenance, and then call the company — not from a number they give you, but from an independent source, and then validate is that this person is supposed to be here. And with delivery people, from pizzas to couriers, don’t let them past a front desk, someone needs to come out or come down and get the stuff. In a lot of places, especially in the D.C. area, there is a change in the culture, and building access is more restrictive, even in non-governmental offices. But you’d still be shocked at how easy it would be to gain access.

You mentioned confidence. Doesn’t it really come down to preconceived notions, about who people think should be allowed access? Does race or ethnicity play a part?

Well, in the D.C.-Northern Virginia-Maryland area, given the diversity we have, I think it comes down more to whether you look the part. Is it easier for certain people and are there stereotypes about this that make it easier for some? Absolutely, no question, but if you look like a white thug, I guarantee you you’d be stopped.

We keep coming back to that point of physical security though.

Yes, but it’s linking it to a digital asset. There’s no such thing as cyber if you don’t control the physical environment.

What do you mean?

If you don’t control the physical access to the machines, your credentials, your mobile devices, you don’t really control the cyber aspect to that device. It means that if I am able to steal a device on your network, or I’m able to compromise, with physical access, a device that has access to your network, there’s no way for you to tell that I’m not suppose to be using that. There are lots of devices where I can plug a little thing into a wall, and it will sit there and hack your system from inside your own network, get onto your WiFi and create a tunnel back to me and my network. So even remotely, I can now act like I’m internal to your network.

It creates a digital tunnel back to you?

Yes, it then not only looks like I am a credentialed user on your network inside your system, but I’m also literally inside your system. I’m inside your four walls. And how I got there was because don’t protect your four walls.

You didn’t mention watching the insider, like the Snowden issue.

The Snowden issue, quite frankly, is a difficult, complex one. If you have a determined individual on the inside, they are going to harm you. You’re never going to stop it all. But a lot of these issues, Target, the OPM, Anthem, where it was reported that the intrusion was discovered when a network administrator finally realized his credentials were being misused, a lot of these are because of bad players taking advantage of avoidable errors. That vendor fixing an air-conditioner inside your data center should have a staff member watching at all times. How is it that when data closets are supposed to be locked and protected, people can gain access to open ports?

So port access should be monitored?

Absolutely. You have to turn off access to all ports that are not being used. The government does a pretty good job at this actually, but the private sector, not as much. If you’re issuing laptops and they don’t have a need to use a USB thumb drive, then turn off the USB ports.

How do you confirm internal misuse?

All of this is up to validating the people you hire and trust in them. But if you can’t trust or manage your employees, and have measurable metrics for that, you’d have a real problem with rolling out anything really secure. But you also have to punish employees that don’t do what they’re supposed to and don’t follow prescribed security protocols or maintain security hygiene. We’re remarkably forgiving of that, as companies. You can’t manage what you can’t measure. If you don’t have the ability to monitor and measure how people are acting, you don’t have any ability to say I’m going to fire you for that stuff, or monitor unauthorized activity. You need to take disciplinary action against people that violate your policies. Once you allow physical access to a rogue party, there’s little you can do to stop malware entering your system, except put in place processes to limit the effectiveness of that break in.