Halkyn Security Blog
Specialist Security & Risk Management Consultants

Physical Security – It still matters

Good physical security protects your information.

Good physical security protects your information.

When it comes to security, there is an unfortunate tendency for organisations (large and small) to fall into the trap of treating their physical security as something separate or different from their information security needs. Despite physical security having a place in every international security standard (such as ISO 27001), ownership of physical risks often ends up being moved away from the “Information Security” specialists and bundled in with safety or facilities management.

As we have said in the past, physical security really does matter to your organisation. If you don’t take it seriously, it doesn’t matter how much cybersecurity you have in place, you will suffer losses.

There is an assumption that the big global banks are very much leaders when it comes to security and preventing criminals getting access to their money. Banks have led the way with development of anti-theft measures, counter-fraud, hacker prevention and much more. Most banks spend inordinate amounts of money building very robust networks with strong firewalls and access controls. This all makes sense, because when it comes to robbing money, most criminals dream of getting a big score from a big bank.

With this sort of threat level, spending lots of money on security is actually very sensible for a bank. As you may imagine, they really do spend lots of money.

This means that the recent news was a bit of a surprise. Not one, but two global banks were targeted by a reasonably unsophisticated type of attack which has been known about for over a decade and is countered by pretty basic physical security measures.

Keyboards - protect them with physical security

Keyboards – protect them with physical security

The first news broke around 13 September 2013 with reports that the Police Central e-crime Unit (PCeU) had foiled a planned attack by a criminal group in London to pose as an engineer then plant a “KVM” switch in the Salford Quays branch. When this happened, the BBC News reported a gang of 12 people had been arrested in connection with the planned attack.

A week later (20 Sept 2013), a very similar news item appeared when eight men were arrested following the theft of £1.3 million from Barclays Bank using an identical attack. As reported, again by the BBC, This time a fake engineer visited the Swiss Cottage branch of Barclays and attached a malicious KVM switch to a computer. This enabled the gang to get remote access and siphon out the money.

While intelligence led policing seems to have saved Santander from any loss, Barclays was not so lucky. Even if they do recover most of the money, the harm has still been done. This is a very good example spending a fortune on technical security controls not mattering. If there is a physical security weakness, attackers will get in.

(Note: a KVM is a “keyboard, video, mouse” switch which is normally used to allow one person to control several devices. In these attacks the KVM appears to have been linked to a device controlled by the criminals allowing them to access the bank’s networks)

Physical security protects assets – lessons learned

Although we may never know all the details, from the published reports there are some lessons for everyone here.

The criminals appear to have been trying to exploit two weaknesses – lack of physical security sweeps and a relaxed approach to service engineers. The fact that two global banks appear to have suffered the same issues is especially interesting and may be a sign that this is prevalent across business sectors.

First – how to combat the two main weaknesses that the criminals wanted to exploit:

  1. Physical security is important. If your organisation separates physical and IT security, you will have a weakness that a criminal will exploit. Don’t fall into this trap.
  2. Ensure your staff are security aware enough that they can spot when strange things appear on their machines or in the office.
  3. If you have security guards / officers on site, make sure they carry out regular physical security sweeps. This should include checking for documents left out, cabinets left unlocked and any strange devices attached to machines.
  4. Unless there is a business reason for it, lock down your computer ports. This wont prevent a KVM switch attack but it will prevent similar attacks on USB ports.
  5. Manage your service providers. If an engineer comes on-site in a sensitive area you should be supervising them. No engineer should ever get access without having their credentials checked and any unexpected engineer visits should be treated with extreme caution.

Security, including physical security, is never perfect but if you can implement these five steps you will significantly reduce your risks.

One extra issue worth considering – although there is no indication it is relevant to the two cases here – is the risk of an insider being involved. If the criminal gangs had managed to subvert an employee, then they wouldn’t have had to sneak in as an engineer and the attacks become significantly harder to detect.

This is one reason why good background screening and employee after care is essential to your overall security posture. Without it, you are just creating a new opportunity for criminals to get access.

Physical Security – Information Security – Personnel Security – Security

The overarching lesson here is that security is security. Protecting your business, preventing theft, guarding your reputation, keeping your assets safe (and so on) is all part of the same mission.

The more you fragment your security into different areas the more you increase the chance that a gap will appear which a criminal will exploit. You may not have the threat profile of a bank, but eventually criminals will notice your weakness and take advantage of it.

In recent years there has been a tendency to split information security off to the IT Department, personnel security gets pushed to HR and physical security ends up with the facilities management team. This is a mistake.

In an ideal world, your organisation will have a “security” department which covers all of this and has links to other departments as needed. Even if we don’t live in an ideal world, you need a centralised “Chief Security Officer” type role to join up the competing interests and make sure that all your security controls join up properly.

Frequently this is called “Holistic” security and buzzword or not, it just makes sense.

To finish, a quote from Alex Grant, Managing Director, Fraud Prevention, Barclays

Barclays has no higher priority than the protection and security of our customers against the actions of would-be fraudsters.

Well said. Every business should take a similar position, but remember – actions speak louder than words. If you value your security, do it properly.

Similar posts
  • UOC – Cybersecurity Conference ... Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017. The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career [...]
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]
  • Security Incident Response Really Doe... Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces [...]
  • Ransomware: Don’t panic –... Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most [...]
  • 3 essential elements of any Infosec f... As the news often shows, Information Security (infosec) is a big part of any organisation. From the small business with just a couple of computers to the global enterprise, infosec wraps around what you do, keeping you safe. Infosec is the function which keeps you servicing your customers. It protects your data. It ensures that [...]

Recent Tweets Recent Tweets