Ten years ago life was easy. Companies had guards, patrolling the perimeter with big dogs, keeping an eye on CCTV cameras between rounds.
Meanwhile, the sysadmin jockeyed his console, trusting on firewalls and AV for security, spending most of the day reinstalling crashed Windows laptops.
The two worlds rarely interacted. Today they’re intertwined, and the sooner companies realize this, the better. Adapting to ongoing trends, large, forward thinking organizations merge the physical and cyber security departments; and start to include safety.
Old school brick and mortar criminals dealt in arms, drugs and prostitution. When hackers presented them with software to rob banks, they started to defraud online banks in the west. As extortion has always been a favorite business model in the criminal world, ransomware provided the means. Criminals performed mass automated extortion, putting our data on the line.
Ransomware didn’t evolve into the moneymaker that criminals had hoped for, for a very simple reason: people didn’t pay. Maybe, 4 years ago, Bitcoin transactions were too complicated for the average Joe. Many criminals are now moving to cryptojacking, another attack type, using the same botnet infrastructures but without the need for implementing a victim facing payment process. However, criminals will be criminals, and they still long to extort: last year hackers pwned the key creation system in a hotel in Austria. 180 skiers stood in the lobby and couldn’t enter their rooms. The management saw no other option than to pay, as calling the police and reinstalling the key processes would take too long. Criminals, in other words, are building more bespoke ways to extort.
How much is our safety worth?
In general, we value our physical safety higher than our cyber security. This is where the IoT comes in, with a tsunami of connected (and vulnerable) devices invading our homes and our lives. Whether it’s ovens, doorbells, cars, or the millions of cheap connected devices, like wifi routers and camera’s, entering the market from China. Experts agree that anything connected is vulnerable. There’s tremendous opportunity for criminals, to use these devices as “stepping stones” into our networks. There’s a direct approach too, extorting people through their connected cars, or even medical devices like pacemakers. Although there are only a few documented incidents, there’s clear indications that devices close to the chest are becoming exploitable. If you like to extort people, this is what you’ve been waiting for.
Unsecure safety features
Back to CCTV camera’s. Their purpose is to give visibility on people sneaking in. Paradoxically enough, especially the “good value” type, tend to be full of holes themselves. Who spots the unauthorized entry, not through the main gate, but through the camera protecting it? If you think “that’ll never happen to me”, think again. If government sponsored espionage groups can have a blind spot, so can you.
Physical safety and cyber security are intertwining. Security guards and infosec folk should trod the grey area together, to see where their responsibilities overlap and align. They should create procedures and practice. Nowadays, ethical hacking companies can offer you physical access tests on top of their hacking efforts. The hacker wears a snazzy suit, carries some papers and a banana, and enters your organization with a smile and a nod to the guard. She connects a wifi access point to your network and her colleagues take over from a distance. It’s time to consider physical and cyber in one equation, see where they align and overlap, and start plugging any holes.
Why the banana, you ask? Well, have you ever seen a trespasser with a banana? The negative association tricks you into thinking “surely it can’t be a trespasser if she’s holding a banana.”