If you are having trouble accessing this website or parts of it, please call 1-800-832-0034 or email [email protected] and we will provide you with assistance.
 

BLOG

Resources for Educators
& Professionals

 

Incorporating Physical Access Controls in Cybersecurity Education

by  Dr. Gene Lloyd     Oct 14, 2024
cybersecurity

Some of my friends once worked as part of a red team that was regularly hired to test the security of corporate and government networks. On one of their operations, they walked into an empty conference room and plugged a USB drive into the back of the computer used for all the presentations in the room. That USB drive had malware on it that provided the team with easy access to the network from a remote location. They did not have to hack their way past firewalls and avoid intrusion detection systems. They simply walked through an unlocked door. A lack of good physical security can ruin even the best digital security, and in this case, the lack made the red team’s operation very easy.

Never Overlook Physical Cybersecurity
 Physical security is a topic often overlooked or glossed over in the classroom. Too many professors assume students already know the importance of this topic and do not spend enough time to teach it in an in-depth manner. This is a problem. The above example of gaining simple access through an open conference room is just one of many ways a bad actor can gain access to a network. Students should be trained on how to physically secure assets as part of a cybersecurity plan. Some physical security methods fall outside the realm of digital security measures, but it is important to understand that once physical access is gained, the game is already lost. Students need to know how to look at the totality of security and the main entrance to an organization’s building is the best place to start.

The Critical Role of Gatekeepers
 Large organizations almost always have some type of gatekeeper inside the main doors of their buildings. Their job is to control access. If one can walk through the front door unimpeded, they can wander around the building until they find an unoccupied office. A more motivated criminal may even bring a lock pick set along to gain access to potentially lucrative rooms. Most cybersecurity programs include a small amount of content about physical security as it relates to social engineering and about the past actions of Kevin Mitnick, who was able to talk his way into facilities, convince people to give him their passwords and use his methodology to successfully gain access to sensitive systems and information. Getting past the front lobby creates a great opportunity for nefarious actors. Professors should include lessons about how to filter physical access at the entrance just as cyber security experts filter access at the perimeter of the network. Of course, in both instances, some access by non-employees is still necessary at times and this requires secondary security measures.

Any room containing servers or network equipment should be secured at all times. These rooms hold the keys to the kingdom. It is the Holy Grail for hackers. Students should understand that unfettered access to a server room guarantees immediate and long-term access that may take years to discover and, depending on how that access is used, could cause a company to go out of business. I once created an administrative account on a network as part of an operation and later found out it was still active almost a year later. Even though it was not being used, it posed a great risk to the network. Just a few minutes of physical access by the wrong person can wreak havoc on a network. There are also some measures we can put in place that fall on the line between physical and digital security.

Minimizing Cybersecurity Threats in USB Port Use
Every computer today is equipped with USB ports. Beyond a keyboard and mouse, employees rarely have a need to use one of these ports. In the past, we could put a malware-laden CD in a corporate bathroom and give it an enticing label like “annual pay raise schedule,” and almost always guarantee someone would put it into a computer. This would launch the malware and establish an outbound connection to an external computer. We can have the same effect with USB drives. Professors can share that the fix to this challenge is to disable all unused USB ports in the software. Someone could still physically plug in a drive, but it would not be recognized or usable on that system. This also has the added benefit of keeping sensitive files from leaving the network when a trusted insider strikes. A similar disabling tactic can be used for unused network ports on the wall to keep any bad actors from plugging directly into the network.

A Critical Need for Depth in Cybersecurity Strategies
Professors need to inform students that cybersecurity methods cannot be developed in a vacuum environment. Other security elements need to be integrated to make security as airtight as possible. It has often been noted that organizations will secure the perimeter of their networks with firewalls without adding any additional layers of security at the perimeter or on the internal network. This has been compared to a cookie with a hard edge and a chewy center. If a hacker makes it past one layer, the rest of the network will fall. The same is true with physical security methods. 

Here is the bottom line. Cybersecurity fails if someone can walk into a server room and plug a device directly into the network. Students are trained on how to deploy hundreds of thousands of dollars’ worth of security devices, but should also be aware that every fancy device will be for naught if we do not lock the doors that provide physical access to these devices. I once kicked someone out of an office in the Pentagon because they were not authorized to be in that space. Had they been allowed to roam free they would have had access to many sensitive systems. We need to do a better job training students to use every available tool to secure networks. A hardened network locks out unwanted bits and a hardened physical security perimeter locks out unwanted physical activities.

Stay Connected

Categories

Clear

Search Blogs

Featured Posts

Incorporating Physical Access Controls in Cybersecurity Education

by  Dr. Gene Lloyd     Oct 14, 2024
cybersecurity

Some of my friends once worked as part of a red team that was regularly hired to test the security of corporate and government networks. On one of their operations, they walked into an empty conference room and plugged a USB drive into the back of the computer used for all the presentations in the room. That USB drive had malware on it that provided the team with easy access to the network from a remote location. They did not have to hack their way past firewalls and avoid intrusion detection systems. They simply walked through an unlocked door. A lack of good physical security can ruin even the best digital security, and in this case, the lack made the red team’s operation very easy.

Never Overlook Physical Cybersecurity
 Physical security is a topic often overlooked or glossed over in the classroom. Too many professors assume students already know the importance of this topic and do not spend enough time to teach it in an in-depth manner. This is a problem. The above example of gaining simple access through an open conference room is just one of many ways a bad actor can gain access to a network. Students should be trained on how to physically secure assets as part of a cybersecurity plan. Some physical security methods fall outside the realm of digital security measures, but it is important to understand that once physical access is gained, the game is already lost. Students need to know how to look at the totality of security and the main entrance to an organization’s building is the best place to start.

The Critical Role of Gatekeepers
 Large organizations almost always have some type of gatekeeper inside the main doors of their buildings. Their job is to control access. If one can walk through the front door unimpeded, they can wander around the building until they find an unoccupied office. A more motivated criminal may even bring a lock pick set along to gain access to potentially lucrative rooms. Most cybersecurity programs include a small amount of content about physical security as it relates to social engineering and about the past actions of Kevin Mitnick, who was able to talk his way into facilities, convince people to give him their passwords and use his methodology to successfully gain access to sensitive systems and information. Getting past the front lobby creates a great opportunity for nefarious actors. Professors should include lessons about how to filter physical access at the entrance just as cyber security experts filter access at the perimeter of the network. Of course, in both instances, some access by non-employees is still necessary at times and this requires secondary security measures.

Any room containing servers or network equipment should be secured at all times. These rooms hold the keys to the kingdom. It is the Holy Grail for hackers. Students should understand that unfettered access to a server room guarantees immediate and long-term access that may take years to discover and, depending on how that access is used, could cause a company to go out of business. I once created an administrative account on a network as part of an operation and later found out it was still active almost a year later. Even though it was not being used, it posed a great risk to the network. Just a few minutes of physical access by the wrong person can wreak havoc on a network. There are also some measures we can put in place that fall on the line between physical and digital security.

Minimizing Cybersecurity Threats in USB Port Use
Every computer today is equipped with USB ports. Beyond a keyboard and mouse, employees rarely have a need to use one of these ports. In the past, we could put a malware-laden CD in a corporate bathroom and give it an enticing label like “annual pay raise schedule,” and almost always guarantee someone would put it into a computer. This would launch the malware and establish an outbound connection to an external computer. We can have the same effect with USB drives. Professors can share that the fix to this challenge is to disable all unused USB ports in the software. Someone could still physically plug in a drive, but it would not be recognized or usable on that system. This also has the added benefit of keeping sensitive files from leaving the network when a trusted insider strikes. A similar disabling tactic can be used for unused network ports on the wall to keep any bad actors from plugging directly into the network.

A Critical Need for Depth in Cybersecurity Strategies
Professors need to inform students that cybersecurity methods cannot be developed in a vacuum environment. Other security elements need to be integrated to make security as airtight as possible. It has often been noted that organizations will secure the perimeter of their networks with firewalls without adding any additional layers of security at the perimeter or on the internal network. This has been compared to a cookie with a hard edge and a chewy center. If a hacker makes it past one layer, the rest of the network will fall. The same is true with physical security methods. 

Here is the bottom line. Cybersecurity fails if someone can walk into a server room and plug a device directly into the network. Students are trained on how to deploy hundreds of thousands of dollars’ worth of security devices, but should also be aware that every fancy device will be for naught if we do not lock the doors that provide physical access to these devices. I once kicked someone out of an office in the Pentagon because they were not authorized to be in that space. Had they been allowed to roam free they would have had access to many sensitive systems. We need to do a better job training students to use every available tool to secure networks. A hardened network locks out unwanted bits and a hardened physical security perimeter locks out unwanted physical activities.

Tags

Clear