NOTE: This is a repost of something I initially posted to LinkedIn on . I will be consolidating a number of older posts to my blog in the near future. Enjoy.
As I am here at the (ISC)2 Security Congress which is collocated with the ASIS International annual convention in Orlando, I am once again struck by the growing crossover between the information and physical security worlds.
For those that do not know, ASIS is an association dedicated to education and advancement of operational security professionals around the world. Their annual conference features a huge expo hall with every type of physical/operational security gadget you could ever want. There are a plethora of security cameras, gate systems, sensors and even weapons here on the ASIS side of the conference. The “3 G’s” (Guns, Gates and Guards) are the bread and butter of ASIS.
(ISC)2 on the other hand is a cybersecurity certification organization most well-known for the CISSP certification. They also have information security vendors on the expo hall floor.
These two are joined together because as the lines between traditional security and information security start to blur, both sides need to be educated. More and more, these two worlds are colliding and it makes me think about the level of training these security guards and other law enforcement individuals receive with respect to social engineering, especially on the cyber side. Why does it matter if they can spot phishing type attacks or other electronic social engineering? Well, these folks are the front line of security and more and more, their tools are living in cyberspace. These individuals can control gates, cameras and entry points remotely from 100s of miles away in a SOC. Often times, the very control of these gates, cameras or sensors is transmitted to “The Cloud” and then relayed to or from the internet-connected device that is being controlled. A large number of camera systems are IP-based, doors are even networked and controlled by computers and IP-based networking.
To top it off, many physical security manufacturers are not agile enough to provide patches to zero-day software vulnerabilities as quickly as infosec vendors, which leaves the devices vulnerable for extended periods of time. Often these vulnerable systems are on the same network as the rest of the organization’s information technology assets. This is a recipe for disaster, much like what happened with Target where the attack on the POS credit card machines started with vulnerabilities in the HVAC systems.
Imagine if you will, ransomware stopping an organization’s ability to control ingress and egress from buildings or parking lots or even worse, the bad guys being able to control it themselves. How about the ability to remotely deploy an active vehicle barrier system or silence the sensors on the fences?
Untrained individuals can allow this to happen by simply clicking on a malicious link or opening the wrong attachment. Once the bad guys are in, the network is their oyster. This is why, as these digital and physical worlds collide, it is more important than ever to ensure the very people who are guarding our buildings and property are aware of the electronic threats as well as the physical ones.
Cloud-based risk is nothing new to us IT folks, but for those that employ high-tech tools for your operational security, take the time to assess the risk these pose and train your employees to resist the threat they may not be aware of.
Erich Kron, Security Awareness Advocate at KnowBe4, is a veteran information security professional with over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, MCITP and ITIL v3 certifications, among others. Erich has worked with information security professionals around the world to provide the tools, training and educational opportunities to succeed in InfoSec