Physical security is often not considered when thinking about cybersecurity. After all, cybersecurity is about hackers, malware, email, social engineering, and other online bogeymen. However, physical security is an essential component of system security and, by extension, cybersecurity.
It has been said that if you go to one of those giant apartment complexes and try enough doors, one will always be open. In penetration testing, someone will always check to see if one of the doors or gates are unlocked. The more people that pass through the door or gate, the greater likelihood that someone will assume the next person will lock up.
One of the most common means to physically gain access is flooding the zone, a football term that fits the technique. In visits to companies that they want to compromise, practitioners will show up for a visit with more people than expected and overwhelm the escorts. On the facility tour, again, some will wander off. There will be too many to monitor, and each visitor will of course know how to use a USB device to connect to the system and tap into the wireless networks.
The Office of the California State Attorney General produced the 2016 California Data Breach Report, which looked at four general categories of exploits: malware and hacking, physical breaches, misuse, and user errors. The most common was malware and hacking, with an average of 54 percent of all breaches; physical breaches followed this at 22 percent; errors at 17 percent; and misuse at 7 percent. Regarding physical breaches, the primary means of collecting information was from stolen computers and downloading unencrypted data or recovering documents that were not disposed of properly.
The report highlighted that 36 percent of small businesses experienced physical breaches, much higher than the rate for larger companies.
As technology has progressed, so has the sophistication of the attacks. As more users implement security best practices, the hacker community is forced to look at increasingly sophisticated means of exploiting targeted information systems. An excellent example of this is drone hacking. In October 2015, Drone Life magazine published an article, “Researchers Hack Office Building Using Drone.” Essentially two researchers, as part of a government-sponsored cybersecurity defense project, were able to use a drone with an attached cell phone to run apps inside a building.
That same month and year, the Dell Technologies Blog posted “The story behind drones that can hack our networks.” This was another short description of Wi-Fi hacking by airborne systems. In these examples, drones are serving as the transportation system for families of exploit devices.
Recently there was another example of a drone attack; this one was not a science project. In October 2022, the Blackberry Blog article, “The Drone Cyberattack That Breached a Corporate Network,” outlined a very deliberate attack against a target that had been thoroughly reconnoitered and most likely penetration-tested. Here again, drones were the delivery mechanism. In this case, the drones were specifically configured with penetration or hacking tools. The hackers used a commercial drone with an attached Wi-Fi pineapple, a standard tool used to test Wi-Fi security or hack into networks. In this case, the company was fortunate to have an outstanding security team that acted promptly and tracked down the ongoing attack when notified of abnormal system behavior.
A lot has changed since 2015. Drones can now be used to attack networks, and a Google search will provide an array of off-the-shelf drone hacking configurations or kits that can be customized to attack specific vulnerabilities. This is an attack method that will not be going away anytime soon.
The issue remains physical security, with the objective of safeguarding the information system. As with many system security elements, the solution is in the fundamentals. Physical security is knowing the physical boundaries and segmenting and monitoring access. These are not necessarily simple things.
Many physical security requirements can be met through technology. There are automated door locks, card readers, and CCTV cameras that can be used to monitor spaces and video that can be reviewed. Getting these systems to work together can take time and effort.
Physical security can also be accomplished through policy. Require encryption for all data, so the information would be unrecoverable if a device is lost or stolen. Limit visitors and require them to be matched to escorts; it ensures the escorts are trained. And mandate system security for Wi-Fi and mobile devices.
Flying drones at 800 feet probing a Wi-Fi network for vulnerabilities is no different from two or three people in a car in a parking lot doing the same thing. Here again, the security tools are basic: encryption, updated software on all devices, changing default passwords, training users to recognize fraudulent emails, and the like. The use of drones may be novel, but being on the eighth floor and thinking that altitude provides network security is foolish.
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at mikeo@171comply.com.
