In pretty much every assessment I've done, and a good deal in day-to-day life, I see a disparity between physical security and information security. While I could ramble endlessly about monolithic networks and their evils (especially the irony in locking servers in a secure room, while leaving access to the same network open in a totally unsecured room), I'm going to talk today about cameras.
Closed Circuit TV (CCTV) systems installed in most banks and other facilities are there to catch thieves with guns and ski masks. They can and do serve other purposes, like accounting for everyone entering/exiting a building, and watching accident-prone areas, but for the most part, they're only there to try and get a shot of a robber's face good enough to put on the evening news.
In this day and age, while there is still a significant amount of robbery at gunpoint, there are much more costly thefts and intrusions that need to be watched for by CCTV systems. I can't tell you how many times I've been in some financial institution (as a customer, not doing work for them) and been left alone in a room with a network-connected PC with full access to the rear of the machine. Furthermore, because of the camera coverage in the building being geared heavily towards the lobby, I was unwatched.
Given this level of access, one could easily use a pocketable USB device (a USB hacksaw, for example) that would steal credentials and leave an agent capable of stealing even more data, all without the victim organization knowing.
According to this article about bank robbery, the average bank robbery costs about $25,000 when it is all said and done (including turnover, lost time, etc.). The average ID theft usually ends up costing between $90 and $305 per record, according to this page. This can vary wildly based on how high- or low-profile the incident is. If we were wanting to make it an average, let's say that 5,000 records were lost (that's a very conservative size for a small bank or credit union). That would be between $450,000 and $1,525,000 in total cost for that breach. A bit of a difference, huh? Now, imagine the public backlash at an organization that just "let" someone walk in and take data, versus the relative empathy the organization would receive because of losses due to gun-wielding robber.
So, given the absolutely enormous difference in the financial damage able to be done between the two attacks, why do financial organizations not seem to take the more costly attack seriously? Well, the big reason is lack of knowledge. Despite cybercrime and hacking being buzzwords in today's society, most of the defensive effort goes into antivirus and perimeter security. My experience in performing security assessments for these organizations says that they rarely have a thorough and consistent approach to security. A secondary reason is inertia. It's the same reason that banks still have large vaults, despite their most valuable items being in the server room. It's just that financial institutions have a long history of needing physical security to stop intruders with guns, jackhammers, torches, and crowbars, but have relatively little history in dealing with thieves bent on stealing data. Displaying a large number of cameras in the front lobby can often deter an attacker before anything happens.
Given all of the above, what should your cameras be looking at? Well, here's a quick list:
- All major entrances to the building. You need to be able to account for everyone entering and exiting your facility in order to narrow a suspect list given a breach.
- Everywhere that customers normally go. This is not limited to the lobby. There should be camera coverage of all side offices, conference rooms, and other places customers are taken regularly. Furthermore, once these places are defined, customers should be kept out of all other areas.
- Areas surrounding the building. For attacks that happen wirelessly (and shame on any financial institution employing wireless to begin with), attackers are likely to sit in parking lots or on the sides of streets to do so.
- Last, but not least, areas with servers and infrastructure devices should be covered. These devices are the core of everything you do, and having physical access grants you a ton of opportunity to steal data.
Additionally, physical considerations need to be made for all computers and network jacks in the areas where customers are allowed. Computers need to be hidden or turned away from places where customers sit, preventing them from accessing the ports where USB devices or keyloggers could be installed. Network jacks should be completely disabled (unplugged from the switch, not just disabled in configuration), or placed on a separate switch for a guest network.
Of course, many of the attacks mentioned above (except the ones with guns, naturally) can be mitigated using good policy and configuration. For example, the USB hacksaw attack is ineffective if autoplay is disabled. It is also considerably less effective if the account currently logged in is running under limited permissions. USB-based attacks are even less effective if the ports are disabled altogether. Other, more common-sense solutions for these problems include simply not allowing customers to be alone in offices. In my experience, the person who was assisting me kept having to leave in order to go to the copier/printer which was located down the hall.
Leave a comment