Where will physical security go into the digital world?

It has been 20 years since 9/11. Looking back on September 11, 2001, in the span of nearly an hour, two planes crashed into the World Trade Center, one plane crashed into the Pentagon, and another plane crashed in Pennsylvania. A clearing in Shanksville.

At that time, this incident not only led to the continued downturn of the aviation industry, but also the topic of “physical security” gradually attracted the world’s attention. Imagine if all the physical security equipment in the World Trade Center had been carefully inspected before the 9/11 incident, and effective security measures could be activated in time when the incident occurred, whether it was to ensure the smooth escape route or the normal use of firefighting facilities. , or the normal activation of fire doors, more timely notification of disaster relief personnel, etc… Then the number of victims will be far lower than the number of 2996, and the economic loss will not be as high as 2% of the country’s GDP in that year (about 200 billion US dollars). ).

The sequelae brought by the disaster have not dissipated for a long time. The only thing that is fortunate is that the physical security system has attracted attention and has developed under the unremitting efforts of people. A set of very complete theories and standard workflows have been formed – covering daily security. When work and safety incidents occur – it can effectively improve the security effect and minimize or reduce losses.

Physical Security Definition

Wikipedia defines “physical security” as:

Physical security describes security measures designed to deny unauthorized access to facilities, equipment, and resources and to protect people and property from damage or harm, such as espionage, theft, or terrorist attacks. Physical security involves the use of multiple layers of interdependent systems that include CCTV surveillance, security guards, protective barriers, locks, access control protocols, and many other technologies.

In short, it is the use of a system that integrates various security equipment and technologies to protect the safety of people and property.

While not as important as cybersecurity, physical security is actually just as important. In fact, it has grown into a $30 billion industry. All the firewalls in the world won’t help you if an attacker removes your storage media from the storage room.

Physical security is becoming increasingly complex through technologies such as artificial intelligence (AI) and the Internet of Things (IoT), which means that IT and physical security are becoming more connected, so security teams must work together to protect physical and digital assets .

Why is physical security important?

Essentially, physical security is protecting your facilities, people, and assets from real-world threats. It includes physical deterrence, intruder detection, and response to these threats.

While environmental events (i.e. catastrophic events due to natural factors or human violations of environmental regulations) can also threaten physical security, the term “physical security” here generally refers to preventing people (whether external actors or potential insider threats) from accessing Areas or assets they should not be involved in. It could be keeping the public away from your headquarters, on-site third parties away from sensitive work areas, or keeping your employees out of mission-critical areas such as server rooms.

A physical attack could be breaking into a secure data center, sneaking into restricted areas of a building, or using a terminal they don’t have access to. Attackers can steal or damage critical IT assets such as servers or storage media, access critical endpoints for mission-critical applications, steal information via USB, or upload malware onto your system, and more.

Tight controls at the outermost perimeter should protect against external threats, while internal measures around access should reduce the likelihood of an insider attacker (or at least flag abnormal behavior).

David Kenned, CEO of penetration testing firm TrustedSec, has said that one of the most common mistakes companies make when approaching physical security is focusing on the front door. They would put all the security at the front door; surveillance cameras, security guards, badge access, but they didn’t pay attention to the whole building as a whole. Smoking areas, on-site gym entrances, and even loading areas can all be unguarded, unmonitored, and unsafe. Revolving doors or similar barriers with motion sensors at the exit can also be easily opened by reaching to the other side and waving them around.

While the cost of a successful digital attack continues to increase, the physical damage to your assets can be equally significant. A notorious example of a physical security failure was a hosting site in Chicago that was robbed four times in two years, with the robbers taking 20 servers on the fourth break-in.

Physical Security Risk Scope

According to the “2021 Mid-Year Outlook Protection Intelligence Report” released by the Ontic Center for Protection Intelligence, the pandemic, and the Jan. Violent break-ins into the U.S. Capitol, civil unrest, and an increase in gun violence have made CISOs and other executives more concerned about physical security, including their own and their employees’ well-being.

Based on a survey of 300 physical security decision makers, CISOs, CIOs, CTOs, and other IT leaders, the report highlights four areas of concern for physical threats:

Business Continuity: Unmanaged and growing physical threats increase enterprise risk and can impact business continuity. The report recommends that companies invest in physical security to mitigate the threat of violence;

Larger threat scenario: Intelligence failure puts executives and employees at risk of physical harm from insiders or supply chain damage or property theft. 71% of respondents said the physical threat landscape has changed “dramatically” in 2021;

Lack of alignment between physical and cybersecurity: The majority of respondents (69%) said that unifying cybersecurity and physical security could help avoid incidents that would bring their organization into trouble or demise. This includes having a single platform to identify and communicate threats;

Unexpected challenges: Compared to previous research, some of the key challenges that IT and security leaders face in 2021 are not the ones they expected to encounter in 2020. These challenges include regulatory compliance reporting and demonstrating the return on investment in physical security.

Overall, 64% of respondents said physical threat activity has increased so far in 2021, while 58% said they felt they were underprepared for their organization to handle physical security.

Physical Security Principles and Measures

Physical security boils down to a few core components: access control and monitoring.

Access control

Access control covers a large area, including basic barriers to more complex things such as keyboards, ID cards, or biometric restricted doors.

The first line of defense is the building itself – gates, fences, windows, walls and doors. Locking these down, adding deterrents like barbed wire, warning signs, and ubiquitous guards, will reduce most random attempts at your location.

There are various access control systems, each with its own advantages and disadvantages. Simple ID scanners can be cheap, but they can be easily stolen or counterfeited. Near Field Communication (NFC) or Radio Frequency Identification (RFID) cards make counterfeiting difficult, but not impossible. Implanting NFC in employees – which has reportedly become a trend in Sweden and has drawn the ire of UK unions – is also a way to reduce the chance of card loss.

Biometric security is also a common option for securing facilities and equipment. In theory, our unique physical identifiers—whether it’s a fingerprint, iris, face, or even your pulse—are harder to steal or counterfeit than any card. A report by ABI Research predicts that the use of biometrics will only increase in the future. Fingerprints are still the most commonly used method, but ABI suggests that it will continue to be enhanced as the application of the face, iris and pulse grows.

Even so, biometric verification isn’t unbreakable. Fake fingers are said to be able to overcome fingerprint readers, photos or masks are enough to fool facial recognition, and the German hacker group Chaos Computer Club has even found a way to defeat iris recognition using only photos and contact lenses.

monitor

Surveillance includes everything from patrolling guards, burglar alarms and CCTV to sound and motion sensors and recording who went where.

In higher risk locations, companies can deploy more sophisticated detectors, such as proximity, infrared, imagery, optical, temperature, smoke and pressure sensors, to maintain overall visibility into their facilities.

IoT and AI bring physical security to the digital world

In the past, physical security and digital security were usually completely separate domains, but today they are slowly becoming more and more connected. Surveillance systems are increasingly connected to the internet, access control systems and surveillance systems are keeping digital logs, and the use cases of artificial intelligence in physical security are becoming more popular.

For example, CCTV-based image recognition can alert you to people or vehicles approaching. In more sophisticated systems, facial and even walking recognition can be performed throughout the facility and let you know if an unknown person is on-site or if an employee is setting foot in a place they shouldn’t be visiting. Behavior analysis related to access control can alert you to unusual behavior. Companies are also starting to use drones for facility monitoring, and a growing number of drone manufacturers are looking to add automated unmanned capabilities. According to research by Memoori, AI-based video analytics could “dominate” physical security investments over the next five years.

Kennedy of TrustedSec said,

Over the past two years, the focus has really shifted from health and safety to information security and trying to really protect all information and the physical location itself. We’re seeing a fusion of physical and logical security: if you’re swiping for badge access in New York, but you’re logging in through a VPN in China, here’s a way to detect potentially malicious activity and use physical data to help provide intrusion analysis in your environment .

Physical and IT security teams work together

However, this growth in physical security technology means that IT and physical security need to work more closely. Digital logs need to be processed, stored and presented to the right people. It may be necessary to create an AI model and train the system. Importantly, all internet-connected devices need to be properly protected.

A physical security system is no longer just a sensor reporting to the user if motion is detected. These are highly technical systems, and their complexity increases every year. However, security providers are usually first and foremost device manufacturers, and now they want to get into the whole IoT business, so their secondary role is really development shops. What we’ve found on these devices actually introduces more exposure than those closed systems we’ve seen in the past.

These devices can often be hacked remotely. For example, CCTV cameras formed a large part of the Mirai botnet used to bring down Dyn in a major DDoS attack in 2016. If your sensor network is not adequately segmented and protected, a vulnerability in one device could allow an attacker to disable a range of your security processes.

The technologies these companies are starting to implement are very promising and do have a mentality of trying to stop malicious actors from breaking into buildings, but they are still immature in the development cycle and take a long time to fix.

Due to the increasing convergence of the physical and digital worlds, physical and IT security are increasingly being integrated into cross-functional teams, for which some companies have created Security Operations Centers (SOCs) to handle both types of security.

However, the number of enterprises that have truly integrated the two operation centers is limited. At present, most enterprises focus on the integration of control centers; instead of setting up several CCTV control centers across the country, it is better to use only one large control center to improve the Operational efficiency.

Even if the two teams are not merged into one large function, it is still important that both teams work together and share responsibilities. Cybercriminals don’t care what individual roles and responsibilities are, and different departments can speak completely different languages. Having the CSO accountable for both physical and IT security brings together disparate teams and helps improve security across the organization. Given that the EU’s GDPR requirements include physical security, it is critical to ensure that all teams are aligned and working towards the same goals.

Social Engineering and Physical Security

There’s the old adage, “Wear a prominent jacket and hold a ladder to get anywhere” because people’s sense of trust is at play. During intrusion simulations, penetration testers often try to gain on-site access by impersonating builders, cleaners, or even IT support staff.

At a branch of a financial organization, testers gained access simply by falsely claiming that they were updating servers for the IT department. And in another case, a small lie about “fixing a crashing server” was enough to convince a guard at the power company’s office that the two men who were sneaking around in black at 3 a.m. were legitimate employees.

Given the largely human element involved in such attacks, they can be difficult to defend against. The best security technology won’t work if your employees allow friendly but unauthenticated people into places they shouldn’t be. Employee education and awareness are key to reducing the potential threat of social engineering.

Physical Security Policy

While the size and sophistication of your controls and monitoring will vary by location and needs, there are some best practices that can be applied across the board to ensure a robust physical security posture.

Take a risk-based approach and conduct research

Map your risk profile and implement appropriate controls. Don’t hire a team of armed guards for what a simple card lock with CCTV can do. Suppliers need to protect themselves to better protect their customers, so supply chain due diligence is a must. Who do we work with, what internal processes and policies do they follow, and what frameworks do they follow in hardening the system? It is imperative to ensure that the seller you buy the technology from understands the risks and has a process for vulnerability management, notification of security advisories in the event of a problem, etc.

Ensure access controls are associated with people and customize access rights

Every ID card or key code should have a unique person tied to it. A “blanket” of access cards or codes makes data leaks more likely and harder to track. If your facility has a strict schedule, make sure that visits are time-related – for example, caterers are not allowed to visit overnight.

Conduct audit trails and maintain inventory

Not only who has access to what, but also the attempted access. Multiple failed access attempts can signal the presence of bad actors. Know who is responsible for all cards, keys and other access items. If the card is lost or the employee’s position changes (such as resignation, job transfer, etc.), its access rights need to be revoked in a timely manner. If someone quits, get the keys back as soon as possible.

Educate staff to follow procedures for treating visitors

Human nature is usually beautiful, but is willing to believe that there are more good people than bad people. Teaching employees—including guards—to be skeptical, follow proper procedures, and not give too much company information to outsiders can reduce the chances of an employee being taken advantage of. Make sure to check IDs and announce pre-planned visits, and have a process in place for handling walk-in visitors. Make sure visitors are not left alone in sensitive areas. Educating your employees is definitely a good idea with a small investment and a big return, and it will dissuade them from stopping people who don’t wear badges for fear of offending them. In addition, employees need to be told to remove their badges and put them in their pockets when leaving the building to prevent cloning or copying.

Test your abilities and processes

Run the simulation; try to visit your own facility. Likewise, companies often send fake phishing emails to test employee attention to detail to see if your employees will provide information over the phone or let in unverified guests.

Author: Yoyokuo