Physical security is often not considered when thinking about cybersecurity. After all, cybersecurity is about hackers, malware, email, social engineering, etc. However, physical security is an essential component of system security and, by extension, cybersecurity. It has been said that if you go to one of those giant apartment complexes and try enough doors, one will always be open. In penetration testing, someone will always check to see if one of the doors or gates are unlocked. The more people that pass through the door or gate, the greater likelihood that someone, that last person, will assume the next person will lock up. One of the most common means to physically gain access, one the Chinese are especially good at, is flooding the zone. A football term that fits the technique. In visits to places where they want to compromise, they will get a number of people for a visit more than expected, and they will overwhelm the too few escorts. They will all go to the bathroom at once, and some will get lost. On the facility tour, again, some will wander off. There will be too many to monitor, and each visitor will know how to use a USB device to connect to the system, tap into the wireless network, etc.
California State Attorney General produced the 2016 California Data Breach Report. The report looked at four general categories of exploits: malware and hacking, physical breaches, misuse, and user errors. The most common was malware and hacking, with an average of 54% of all breaches; physical breaches followed this at 22%; errors at 17%; and misuse at 7%. Regarding physical breaches, the primary means of collecting information was from stolen computers and downloading unencrypted data or recovering documents that were not disposed of properly. The report highlighted that the percentage of physical breaches for small businesses exceeded the average, with 36% of small businesses reporting physical breaches.
As technology has progressed, so has the sophistication of the attacks. The continual war is between the user community implementing security best practices and, in doing so, forcing the hacker community to look at increasingly sophisticated means of exploiting targeted information systems. An excellent example of this is drone hacking. In October 2015, Drone Life magazine published an article, “Researchers Hack Office Building Using Drone”. Essentially two researchers, as part of a government-sponsored cybersecurity defense project, were able to use a drone with an attached cell phone to run apps inside a building. That same month and year, the Dell Technologies Blog had “The story behind drones that can hack our networks”. This was another short description of WiFi hacking by airborne systems. In these examples, drones are serving as the transportation system for families of exploit devices. Recently there was another example of a drone attack; this one was not a science project. In October of this year, the Blackberry Blog article “The Drone Cyberattack That Breached a Corporate Network” outlined a very deliberate attack against a target that had been thoroughly reconnoitered and most likely penetration tested. Here again, drones were the delivery mechanism. In this case, the drones were specifically configured with penetration or hacking tools. The hackers used a commercial drone with an attached WiFi pineapple, a standard tool used to test WiFi security or hack into WiFi networks. In this case, the company was fortunate to have an outstanding security team that acted promptly and tracked down the ongoing attack when notified of abnormal system behavior. A lot has changed since 2015 regarding the use of drones for attacking networks; now, drones can be used to attack networks, and a google search will provide an array of off-the-shelf hacking configurations or kits that can be customized for these drones. This is an attack means that will not be going away anytime soon.
The issue remains physical security, with the objective of safeguarding the information system. As with many system security elements, the solution is in the fundamentals. Physical security is knowing the physical boundaries and segmenting and monitoring access. These are not necessarily simple things. Meeting many security requirements can be accomplished through technology. There are automated door locks, card readers, and CCTV cameras that can be used to monitor spaces and video that can be reviewed. Getting these systems to work together can take time and effort. Physical security is also accomplished through standard policy. The policy would require encryption for all data, so the information would be unrecoverable if a device is lost or stolen. The policy limits visitors and requires them to be matched with escorts; it ensures the escorts are trained. It is the policy that mandates system security for WiFi and mobile devices. Flying drones at 800 feet investigating a WiFi network for vulnerabilities is no different from two or three people in a car in a parking lot doing the same thing. Here again, the security tools are basic: encryption, updated software on all devices, changing default passwords, training users to recognize fraudulent emails, etc. The use of drones may be novel, but being on the 8th floor and thinking that altitude provides protection and there is no need to secure your network is foolish.
California Data Breach Report 2016 – Kamala D. Harris, Attorney General California Department of Justice
Researchers Hack Office Building Using Drone – DRONELIFE. OCT 2015,
The story behind drones that can hack our networks | Dell Technologies United States
Drones and security – What you need to know (kaspersky.com)
The Drone Cyberattack That Breached a Corporate Network (blackberry.com)