When it comes to security, there is an unfortunate tendency for organisations (large and small) to fall into the trap of treating their physical security as something separate or different from their information security needs. Despite physical security having a place in every international security standard (such as ISO 27001), ownership of physical risks often ends up being moved away from the “Information Security” specialists and bundled in with safety or facilities management.
As we have said in the past, physical security really does matter to your organisation. If you don’t take it seriously, it doesn’t matter how much cybersecurity you have in place, you will suffer losses.
There is an assumption that the big global banks are very much leaders when it comes to security and preventing criminals getting access to their money. Banks have led the way with development of anti-theft measures, counter-fraud, hacker prevention and much more. Most banks spend inordinate amounts of money building very robust networks with strong firewalls and access controls. This all makes sense, because when it comes to robbing money, most criminals dream of getting a big score from a big bank.
With this sort of threat level, spending lots of money on security is actually very sensible for a bank. As you may imagine, they really do spend lots of money.
This means that the recent news was a bit of a surprise. Not one, but two global banks were targeted by a reasonably unsophisticated type of attack which has been known about for over a decade and is countered by pretty basic physical security measures.
The first news broke around 13 September 2013 with reports that the Police Central e-crime Unit (PCeU) had foiled a planned attack by a criminal group in London to pose as an engineer then plant a “KVM” switch in the Salford Quays branch. When this happened, the BBC News reported a gang of 12 people had been arrested in connection with the planned attack.
A week later (20 Sept 2013), a very similar news item appeared when eight men were arrested following the theft of £1.3 million from Barclays Bank using an identical attack. As reported, again by the BBC, This time a fake engineer visited the Swiss Cottage branch of Barclays and attached a malicious KVM switch to a computer. This enabled the gang to get remote access and siphon out the money.
While intelligence led policing seems to have saved Santander from any loss, Barclays was not so lucky. Even if they do recover most of the money, the harm has still been done. This is a very good example spending a fortune on technical security controls not mattering. If there is a physical security weakness, attackers will get in.
(Note: a KVM is a “keyboard, video, mouse” switch which is normally used to allow one person to control several devices. In these attacks the KVM appears to have been linked to a device controlled by the criminals allowing them to access the bank’s networks)
Physical security protects assets – lessons learned
Although we may never know all the details, from the published reports there are some lessons for everyone here.
The criminals appear to have been trying to exploit two weaknesses – lack of physical security sweeps and a relaxed approach to service engineers. The fact that two global banks appear to have suffered the same issues is especially interesting and may be a sign that this is prevalent across business sectors.
First – how to combat the two main weaknesses that the criminals wanted to exploit:
- Physical security is important. If your organisation separates physical and IT security, you will have a weakness that a criminal will exploit. Don’t fall into this trap.
- Ensure your staff are security aware enough that they can spot when strange things appear on their machines or in the office.
- If you have security guards / officers on site, make sure they carry out regular physical security sweeps. This should include checking for documents left out, cabinets left unlocked and any strange devices attached to machines.
- Unless there is a business reason for it, lock down your computer ports. This wont prevent a KVM switch attack but it will prevent similar attacks on USB ports.
- Manage your service providers. If an engineer comes on-site in a sensitive area you should be supervising them. No engineer should ever get access without having their credentials checked and any unexpected engineer visits should be treated with extreme caution.
Security, including physical security, is never perfect but if you can implement these five steps you will significantly reduce your risks.
One extra issue worth considering – although there is no indication it is relevant to the two cases here – is the risk of an insider being involved. If the criminal gangs had managed to subvert an employee, then they wouldn’t have had to sneak in as an engineer and the attacks become significantly harder to detect.
This is one reason why good background screening and employee after care is essential to your overall security posture. Without it, you are just creating a new opportunity for criminals to get access.
Physical Security – Information Security – Personnel Security – Security
The overarching lesson here is that security is security. Protecting your business, preventing theft, guarding your reputation, keeping your assets safe (and so on) is all part of the same mission.
The more you fragment your security into different areas the more you increase the chance that a gap will appear which a criminal will exploit. You may not have the threat profile of a bank, but eventually criminals will notice your weakness and take advantage of it.
In recent years there has been a tendency to split information security off to the IT Department, personnel security gets pushed to HR and physical security ends up with the facilities management team. This is a mistake.
In an ideal world, your organisation will have a “security” department which covers all of this and has links to other departments as needed. Even if we don’t live in an ideal world, you need a centralised “Chief Security Officer” type role to join up the competing interests and make sure that all your security controls join up properly.
Frequently this is called “Holistic” security and buzzword or not, it just makes sense.
To finish, a quote from Alex Grant, Managing Director, Fraud Prevention, Barclays
Barclays has no higher priority than the protection and security of our customers against the actions of would-be fraudsters.
Well said. Every business should take a similar position, but remember – actions speak louder than words. If you value your security, do it properly.