Saturday, October 29, 2022

Why You Need The Best Of Both Worlds: Physical & Cyber Security

 

When one mentions Cybersecurity, the images of a hacker wearing a hoodie sitting in a dark room in front of a computer, or a large server room very often come to mind.  While it is true that protection of digital assets is of prime interest here, Cybersecurity also encompasses other areas as well, which also includes the human element (protecting against Social Engineering) and even Physical Security.

With the latter, this typically encompasses all of the brick-and-mortar space that a business may occupy.  It also includes the inside offices, too.  Depending upon what industry the business is in, security may be lax or it might be very tight. 

For instance, if it is a law firm, it may not be so tight from the primary means of entrance, but the inside offices will probably be much tighter, such as using a smart card or a FOB system of sorts.

On the other hand, a nuclear facility or even a Critical Infrastructure will have much tighter Physical Security.  But whatever the situation might be, there tends to be, at least in Corporate America, much more of a focus on the digital asset side of Cyber rather than including the physical side.  Why is the case, you may be asking?  Well, here are some key reasons:

1)     Not understanding the importance of it:

Imagine a retail store that has a brick-and-mortar presence in different cities and also has a huge online presence, from which it derives most of its revenue from.  Of course, the business owners are going to pay very close attention to the security layers that are baked into their online store.  This would include making sure that the source code is as secure as possible, and all security certificates are installed and are updated when the time comes to do so.  Because of this, there will be a lot less attention paid to the physical security of the store.  True, there will be the usual alarms and CCTV cameras in place, but will that be enough?  What I am trying to get at is the thinking of business owners here is the Cyberattacker will be far more attracted to the digital aspects, rather than the physical aspects.  But in today’s times, this is far from the truth.  The Cyberattacker knows this fact, and are now targeting the physical aspects of security, using the principles of Social Engineering in order to con employees into giving out confidential information.  Also, keep in mind that Physical Security is subject to the data privacy laws as well, and you have to be just as compliant here as you would with the digital side.

2)     Misunderstanding of linkages:

If a company is very large, like Wal Mart, then there will be some lines separating the actual E-Commerce front with the physical stores, as order fulfillment will occur at the warehouse level, not at the store level.  But, if you are small business owner like me, then the lines will be the same.  I have an E-Commerce store in which I sell my eBooks and newsletters.  Any impact here will be felt on the business overall, because my brand will now have been totally ruined.  The bottom line is that no matter how large or small your business might be, there will always be a direct linkage, or connection between your online presence and your physical presence.  You need to pay attention to both, and have the right controls in place.  And as my illustration shows, an impact in one area will have an impact on the other.  It’s like a weighing scale that you need to carefully balance.

3)     The IoT:

This is an acronym that stands for the “Internet of Things”.  Loosely defined, it is where all of the objects that we interact with are connected together in both the virtual and physical worlds.  Probably one of the best examples of this are Siri and Cortana.  Here, we are using our wireless device to interact with a personal assistant that exists in the virtual world.  While this is certainly advantageous, it has many security weaknesses as well.  For instance, the network lines of communication are not secure by any means.  All of the information that is transmitted is available in cleartext.  So if any information and data is intercepted by a malicious third party, a lot of damage can be done in this regard.  A good example of this is an employee using a scanner to order new stock to be placed.  Anybody with a network sniffer that is hidden in their pocket cam intercept the data packets that are being sent back and forth, and reassemble them later.  This can give valuable insights into the warehouse that is storing these products, and where the security issues and weaknesses may reside at.  The moral of the story here is to make sure that your lines of communication are encrypted here, as you would for your online presence here.

4)     Giving great customer service:

In the retail sector, the tendency is to always to try to bend over backwards to help your customer out, no matter what the cost might be in the end.  We are motivated to do this in anticipation of getting a nice compliment or even a raise.  But be careful here.  A good example of this is the customer walking in asking in to help them reset their password on their portal at your online store.  But once again, be careful here.  This could be a ploy so that you can access the databases at the corporate level to reset it.  A cunning Cyberattacker will always looking over your shoulder to see what steps you are taking.  This is technically known “Shadow IT Management”.  In this case, you should always tell your customer that while you do want to help them out, their best bet is to call tech support to have the password reset.

My Thoughts On This:

As we fast approach now in 2023, I believe that attacks to physical structures (and not just Critical Infrastructure) will take prevalence.  The reason for this is that, and which has been the theme for this blog is that because we have so much attention paid to the protection of digital assets, we have totally neglected the protection of our physical ones.

The Cyberattacker is well aware of this, and this will now become their prime target because of the sheer ease of penetration into it.

 

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...