CHAPTER 5: PHYSICAL THREATS

Physical threats are an often-neglected aspect of cyber security, yet they can affect organisations every bit as much as technological threats. Cyber security must incorporate physical security to be truly effective – it’s no good protecting sensitive data with an array of technological controls if someone can simply walk into the building and take it.

Physical security begins with identifying your perimeter and securing it, which means locks on doors and entry points to sensitive areas, like server rooms. Many organisations use key-card or PIN-entry locks to secure sensitive areas, but these carry their own risks. Staff may write down PINs to make them easier to remember, raising the risk of accidental loss or theft, while RFID proximity cards can be vulnerable to passive readers that capture the card information, allowing the attacker to create duplicates or spoof the locking mechanism with an RF emitter.

Semi-public areas like receptions and warehouses are within your perimeter, but necessarily require a different approach from something like a server room or secure area. To maintain accessibility while providing an adequate level of security, consider visitor logs, security cameras and similar techniques.

A common way for attackers to gain entry is tailgating. This is a social engineering technique used to gain access to secure buildings and areas by playing off people’s innate desire to be helpful. All you need to successfully tailgate are a little preparation to ensure you don’t look out of place, and the ability to think on your feet.

One tailgating tactic is for an attacker to join employees on their cigarette break pretending to be someone who recently joined the company (which conveniently explains why they don’t have ID or key cards), then follow them inside when they finish. Advance reconnaissance improves the success rate of such attacks – dropping a name or two during the conversation or mentioning a project or some other ‘inside’ information help reinforce the illusion that the attacker is a real employee.

Some physical entry threats are more overt. Attackers can pretend to be visiting a member of staff, or pose as a maintenance worker. Such attackers will likely refuse escorts, perhaps claiming they are running late, or that they already know the way. As soon as they are left alone, they can begin their attack, which is often used to install physical hardware such as USB keyloggers or KVM (keyboard, video, mouse) switches that allow a user to operate multiple computers from a single workstation.

Make sure your employees understand what tailgating is, and how to prevent it. Train staff to confront unfamiliar people in secure areas and ask for identification, even if the person has an apparently legitimate reason to be there. Escort visitors on the premises at all times, and ask all visitors to sign in and out to record the time spent on the premises, who they were visiting and why, etc.

Log all issued key cards and take steps to deactivate them if lost or stolen. Consider two-factor authentication (2FA), e.g. key card and PIN, and CCTV for particularly sensitive areas. Note that if CCTV covers public areas, you may have obligations under data protection legislation.

Entry threats aren’t the only physical cyber security concern. Information leakage – where sensitive information is accessible to unauthorised individuals like visitors, often inadvertently – is another common physical threat.

Clear desk policies are a popular method of reducing information leakage by ensuring employees don’t leave sensitive information in plain view. While useful, it is important to take a sensible, pragmatic approach to get the best results: leave sensitive paperwork in lockable drawers or filing cabinets when not in use, lock computers when away from the screen, and switch computers off overnight.

Adjacent buildings are another potential route for information leakage. Screens and even paperwork visible from adjacent buildings are vulnerable to something as simple as a good zoom lens. Clear desk policies help with this to some extent, but don’t protect you during the working day when screens and sensitive paperwork are in use. If overlooking is a concern, consider using one-way mirror film over windows to prevent people from seeing inside.

Defence in depth

Physical security doesn’t stop with entry points and key-card locks. No single security measure is 100% effective, so it’s important to take a defence-in-depth approach. Sometimes referred to as the ‘onion skin’ model of cyber security, defence in depth means having multiple, layered defences so that, if one layer fails, the other layers still protect you.

When considering your defence-in-depth options, examine your existing controls for ways they might be circumvented. Once you know where the gaps are, you can put additional ‘layers’ in place to take the strain should the primary control fail. Target the most likely ways your defences might be bypassed rather than assuming that everything that can go wrong will go wrong – there is little benefit in adding layers that will never be used.

As an example, consider information leakage. One major cause of information leakage is inadequate secure disposal, which you can mitigate by using the services of a certified secure disposal organisation. If that organisation somehow loses your hard-copy files or hard drives before the secure disposal process takes place, then your information is freely available to anyone who finds it.

A defence-in-depth approach would consider this possibility and take additional steps to mitigate it – for example, shredding hard-copy files or securely erasing a drive before transferring it to the disposal company. That way, if there is a failure of process during disposal, your information remains secure.

To take a defence-in-depth approach to physical security, assume that your entry defences have failed, then consider the potential vulnerabilities that may be present in your premises. Meeting rooms and common areas, for example, may contain unsecured network ports that could allow an attacker access to your trusted network. Server rooms may be well-secured, but if positioned out of sight of foot traffic, an attacker may have enough time to bypass or defeat that security. A holistic approach will allow you to identify such risks and take steps to mitigate them.

Physical security and mobile devices

There are obvious physical security concerns for mobile devices. Encrypting phones, laptops, tablets and portable storage devices to guard against data exfiltration if the device is lost or stolen has been cyber security best practice since portable devices became mainstream. Even if the contents are encrypted, however, loss or theft of the device still amounts to loss of the data, which could be disastrous if it’s not backed up elsewhere.

Defence against theft and loss may seem like common sense, but staff training to reinforce key concepts never hurts. Your mobile device policy should contain explicit requirements for the use of mobile devices: do not leave devices unattended, always store them in a secure location (e.g. a hotel safe), never store passwords with the equipment, etc.

Physical threats are often combined with social engineering and other attack types in novel ways to increase the chances that an attack will be successful. One such example is of an attacker leaving an unmarked USB device lying around where your staff are likely to spot it – perhaps in the car park, or near an entryway – in the hope that an employee sees it, picks it up, and plugs it into a computer to find out what’s on it.

This attack type is surprisingly successful. A 2016 study found that 98% of USB drives left lying around a university campus were picked up, and that files were opened by the ‘finder’ on at least 45% of devices.²⁴ Such attacks play on our curiosity and natural tendency to be altruistic (most users picked up the devices intending to return them to the owner), and can be very difficult to defend against.

USB devices can install malware or, in the worst cases, destroy the hardware of the connected PC. Devices known as ‘USB killers’ contain powerful capacitors that draw and store power from the USB connection. Once fully charged, the USB killer discharges the stored power back into the connected computer (or, in fact, anything with a USB port), causing irreparable hardware damage.²⁵

Any unidentified mobile device found on or near the premises is a risk. Train employees to hand in found mobile devices and to understand the risks that malicious devices can pose. Regular refreshers help reinforce the message, and well-placed posters and signage are good visual reminders in the heat of the moment.

Train your IT department to test any found devices on an air-gapped, bare-bones test system so that any malware on the device cannot spread across networks, and to minimise hardware damage if the device turns out to be a USB killer.

Example: KVM attacks

Keyboard, video and mouse controllers (KVM switches, or KVMs) are devices that allow a user to switch the computer they’re operating without changing keyboard, screen or mouse. KVM switches are often found in data centres, allowing operators to connect to different servers from the same workstation. KVMs from reputable manufacturers come with built-in security functions to prevent external attackers connecting to them and accessing the connected computers – but what if the KVM used to attack you belongs to someone else?

KVM attacks hit the news in 2013 with the targeting of London banks. An attacker entered a Barclays branch claiming to be IT support staff and attached a 3G-enabled KVM switch to bank computers. The 3G connection allowed the attackers to connect to the KVM through the Internet, giving them full control over the connected computer from a remote location. Once they had control, all they had to do was transfer the money from one account to another in amounts that were sufficiently small to avoid additional scrutiny.

The attackers stole £1.25 million (£600,000 of which was recovered by Barclays). A few months later, they struck another Barclays branch, resulting in the theft of £90,000. This time, the KVM switch was recovered by police, but the attackers remained at large.

In September 2013, the attackers switched targets to a Santander branch. Just as before, an attacker entered the premises under the guise of IT support staff and attached another 3G-enabled KVM device to bank computers, while accomplices were waiting to transfer funds to holding accounts. This time, however, the police were ready.

A raid carried out on an accomplice’s property revealed computers in the middle of carrying out the Santander attack, along with a treasure trove of stolen credit cards, letters, usernames and passwords, and other material used to commit fraud. Police arrested the ‘IT support engineer’ shortly after he left the bank.²⁶

The 2013 KVM attackers exploited social engineering vulnerabilities (by pretending to be IT support) to install a hardware-based threat (the 3G-enabled KVM switch). They knew enough about banking systems to ensure that the international transfers made were just below the limit that would trigger additional checks, suggesting that research and reconnaissance was performed to identify the safest way of extracting the money without drawing attention (and likely to identify potential target branches, too).

Such ‘combined’ attacks are effective because they bypass many of the controls put in place to defend against them. The 3G router allowed the KVM switch to be operated over a mobile Internet connection, bypassing the bank’s network security controls, while the social engineering techniques allowed the attackers to bypass physical entry controls. This is why defence in depth is so important – protecting against combined attacks requires combined defences.

²⁴ Matthew Tischer et al, “Users really do plug in USB drives they find”, Universities of Illinois and Michigan, 2016, https://elie.net/publication/users-really-do-plug-in-usb-drives-they-find/.

²⁵ Catalin Cimpanu, “Former student destroys 59 university computers using USB Killer device”, ZDNet, April 2019, https://www.zdnet.com/article/former-student-destroys-59-university-computers-using-usb-killer-device/.

²⁶ Tim Ring, “Cyber gang behind £1.25m ‘KVM’ bank fraud convicted”, SC Magazine, March 2014, https://www.scmagazineuk.com/cyber-gang-behind-125m-kvm-bank-fraud-convicted/article/1480424.