Public and Private Sector Security
yellancnigg
TheCompellingCaseforUnifyingITandPhysicalSecurity_SecurityIndustryAssociation.pdf
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 1/24
(https://www. securityindus try.org/)
(/center-of-excellence/)
The Compelling Case for Unifying IT and Physical Security By Thomas L. Norman, CPP/PSP (https://www.securityindustry.org/author/thomaslnorman/) on November 20, 2017
Share:
(https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/? share=facebook&nb=1)
(https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/? share=linkedin&nb=1)
(https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/? share=twitter&nb=1)
UPCOMING EVENTS
Home (https://www.securityindustry.org) | Cybersecurity (https://www.securityindustry.org/category/solutions/information- technology/cybersecurity/) / Data Storage & Management (https://www.securityindustry.org/category/solutions/information- technology/data-storage-management/) / Information Technology (https://www.securityindustry.org/category/solutions/information-technology/) / Solutions (https://www.securityindustry.org/category/solutions/) | The Compelling Case for Unifying IT and Physical Security
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 2/24
September 14 @ 2:00 pm – 3:00 pm EDT
September 16 @ 3:00 pm – 4:00 pm EDT
September 23 @ 12:00 pm – 1:00 pm EDT
VIEW ALL EVENTS » (HTTPS://WWW.SECURITYINDUSTRY.ORG/EVENTS/)
MOST RECENT
WEBINAR: COMMUNICATION SKILLS FOR WOMEN: BALANCING WARMTHORITY AND THE LANGUAGE OF POWER (HTTPS://WWW.SECURITYINDUSTRY.ORG/EVENT/COMMUNICATION-SKILLS-FOR-WOMEN-BALANCING- WARMTHORITY-AND-THE-LANGUAGE-OF-POWER/)
WEBINAR: REOPENING FACILITIES AND MANAGING DATA PRIVACY CONCERNS IN THE ERA OF COVID-19 (HTTPS://WWW.SECURITYINDUSTRY.ORG/EVENT/REOPENING-FACILITIES-AND-MANAGING-DATA-PRIVACY- CONCERNS-IN-THE-ERA-OF-COVID-19/)
WEBINAR: HOW TO FINGERPRINT VEHICLES USING COMPUTER VISION (HTTPS://WWW.SECURITYINDUSTRY.ORG/EVENT/HOW-TO-FINGERPRINT-VEHICLES-USING-COMPUTER- VISION/)
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 3/24
CATEGORIES
Select Category
ARCHIVES
Select Month
SIA New Member Pro�le: Vintra Inc. (https://www.securityindustry.org/2020/09/14/sia- new-member-pro�le-vintra-inc/)
»
Security Industry Association Says Portland, Ore., Facial Recognition Bans Are Shortsighted (https://www.securityindustry.org/2020/09/10/security-industry-association-says-portland- ore-facial-recognition-bans-are-shortsighted/)
»
SIA New Member Pro�le: Transition Networks, Inc. (https://www.securityindustry.org/2020/09/08/sia-new-member-pro�le-transition- networks-inc/)
»
Security Industry Association and Electronic Security Association Launch Foundation for Advancing Security Talent (https://www.securityindustry.org/2020/09/01/security-industry- association-and-electronic-security-association-launch-foundation-for-advancing-security- talent/)
»
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 4/24
Most organizations today follow the o�cial plan. They have their building and critical rooms secured with electronic access control, digital video and security intercoms; their IT network secured with a �rewall, anti-virus and anti-malware; their website secured and their email servers secured; and both physical security and IT security were installed by the best integrators they could �nd. Thinking they could now rest easy, knowing that they had taken all reasonable measures a prudent company should take … not knowing they were terribly vulnerable.
But security done this way is now just an illusion. The o�cial plan is broken. The o�cial plan has unknowingly become a plan for the organization’s destruction. Yes, you read that right! That is not hyperbole. As you read this, organizations are being destroyed right out of business by the new landscape of security threats. And these are threats that cannot be secured using traditional strategies.
The target landscape for threat actors today is rich and safe for the threat actors. More sophisticated modern attackers are uncovering and utilizing cross-platform exploits that use the cracks between physical and IT security systems to attack the organization. This approach is new, like ransomware was new just a couple of years ago. But today, more than half of malware attacks carry a ransomware payload. In a couple of years, it is likely that cross-platform attacks will be very common, and existentially destructive.
This paper outlines how there is no longer any security without a holistic hi-tech, lo-tech, no- tech approa ch to security, including both IT security and physical security as a single approach, and how organizations can address the new combined threat landscape in a new, much more e�ective way.
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 5/24
When applying security measures, organizations are interested in applying countermeasures to those threat scenarios that are:
most likely to occur
most serious in terms of damage to the organization
This paper focuses on threat scenarios that are most likely to occur and which have the very real potential to seriously damage or destroy the organization’s �nancial viability. This is particularly true for small and medium business enterprises. And while the threat scenarios discussed herein probably do not have the potential to destroy an enterprise organization, it is most certain that the shareholders and the public press would take notice of the incident and its aftermath. Such incidents would almost certainly damage the organization’s business reputation, which would compound the �nancial damages of the actual incident, and the direct costs to mitigate the incident.
Security threat scenarios, particularly IT security threat scenarios, have transformed in the last few years from incidents that we should pay attention to, into incidents that are real existential threats to the organizations they are striking. Many organizations are simply closing their doors in response to these threats, and that is not an exaggeration. These are incidents that simply must be prepared for, for the welfare of the organization, its management, its employees and the community that it serves.
These incidents are very real. They are happening to organizations every day. You are reading about them in the news, with a sigh of relief saying “I’m sure glad that didn’t happen to us!” But the odds are seriously stacked against you. These incidents will strike most organizations within the next few years. This paper discusses what they are and how organizations can e�ectively mitigate the likely damages that will occur.
Let’s take a look at a few examples of why this is so important.
Download Available
THE COMPELLING CASE FOR UNIFYING IT AND PHYSICAL SECURITY
1
2
3
4
5
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 6/24
By Thomas L. Norman, CPP/PSP
TABLE OF CONTENTS
IT Security Is at Risk of Physical Attack Now More Than Ever Before
Case 1: The National Security Agency (NSA)
The NSA is responsible for acquiring intelligence worldwide from communications sources, primarily technology sources. This includes phones, radios and information technology networks, including the internet, dark web (an “o� the internet” shadow internet where many illegal things are o�ered for sale, including malware kits and information on how to break into networks), TOR and private networks. The scope and depth of NSA capabilities at gathering data is simply astonishing. To perform this role, the NSA has developed highly proprietary methods for breaking into networks all over the world, carried out by a specialized hacking team of unparalleled sophistication, reportedly known simply as the Equation Group, making them quite probably the largest and most proli�c hacker organization in the world, their scope being approached only by other similar agencies from Russia, China, Iran and Great Britain. Intrinsic in their mission is a focus on protecting their technology, methods and tradecraft, and the results of their exploits.
More on the NSA “Hack”
DOWNLOAD PDF
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 7/24
More on the NSA Hack
As this paper is being written, the forensics on the NSA attack are underway. Early indications are that this was a Russian FSB operation, aimed at embarrassing the Obama administration. The material posted on the Dark Net included scripts from 2013 such as one called “Extra Bacon” that could gain access to common �rewalls (in this case, the Cisco ASA �rewall). However, the Cisco ASA �rewall has had a major upgrade since this script was written that would make it impossible to use against newer versions, only working on older versions that have not been updated. So far, all exposed scripts are from this era. This indicates that the insider was not directly part of the famed “Equation Group,” but someone else who worked peripherally around that group, who had only limited access to current scripts.
In August 2016, news came that the NSA itself had been hacked , possibly by Russia. The recent security attack on the National Security Agency was both audacious and very e�ective. The news came in the form of exploit kits being sold on the dark web. O�ered for sale there were a number of exploit kits used exclusively by the NSA to break into common �rewalls and routers by virtually every major manufacturer. In other words, what many would consider the crown jewels of the NSA!
Sources within the NSA who don’t want to be quoted say that this incredible “hack” was not a hack at all. It was instead the result of an insider with critical access who simply walked out the door with a USB chip full of the NSA’s top secrets. In other words, it was a physical security exploit, not an IT security attack.
The federal security agency most capable of IT security lost its crown jewels to a physical security exploit!
Case 2: Veteran’s Administration (VA) Massive Data Breach
Personal identifying information on about 26.5 million U.S. military veterans was stolen from the residence of a Department of Veterans A�airs data analyst who took the material home in violation of VA security policies. The data stolen included names, Social Security numbers and dates of birth of the veterans. Inside sources have reportedly claimed that the data are from the VA Bene�ts Administration branch. If so, such data would also likely contain ratings and entitlements as well. Such information would typically also contain the amounts of VA disability deposits and the account numbers and routing numbers of banks into which such deposits are to be made. 26.5 million information technology records of the most vulnerable among us, lost to a physical security breach.
Case 3: DDOS Attack Using 25,513 IP Video Cameras from 105 countries
Just when you thought it was safe to go back into the water, researchers from the security �rm Sucuri discovered that in a very unique attack, 25,513 internet-connected IP security video cameras (physical security devices) have been connected into a massive denial-of- service botnet used in a “proof of concept” distributed denial of service (DDOS) attack against a jewelry store site. The source article indicated that this massive botnet was
6 7
8
9
10
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 8/24
against a jewelry store site. The source article indicated that this massive botnet was
generating nearly 50,000 HTTP requests per second. However, Jason Thacker of White Badger Group, LLC, a leading cybersecurity consulting group, states that it is more likely that these were not HTTP requests, which would require running malware on the cameras, but rather simply HTTP/RTSP streams, which could run from unmodi�ed cameras. The attack continued for days and researchers found that the botnet had leveraged only Internet of Things (IoT) CCTV devices from 105 countries.
This attack is truly unique. It is believed that absolutely nothing can stand up against an attack of this magnitude. Not Google, not Amazon, not the U.S. military, not anything. Further, this attack was primarily launched from IoT security CCTV devices that had been reprogrammed into multicast mode. While many believe that they should be safe against a multicast DDOS attack because they have not subscribed to it, in fact, the multicast server holds the subscription list. And that list can include any group of IP addresses, or range of IP addresses. The range could include a jewelry store, all the IP addresses served by an individual ISP, or something as large as the IP address range including the entire United States of America (however an attack of this scale is highly unlikely due to the demands on the multicast server). And all executed within milliseconds with no obvious weaponry. Obvious defenses against an attack like this include sending out multicast unsubscribe messages to the multicast servers. This would be e�ective because it would have an asymmetric e�ect against the attackers, in favor of the defenders. Thanks to Jason Thacker, CISSP, CEH, vice president and chief technology architect, White Badger Group for information on multicast attack and defense strategies.
Is Physical Security at Risk of Hacking?
Case 4
A worker at a Ukraine electrical distribution plant control center was ending his shift when he was stunned to see the cursor suddenly move across the screen and click on buttons that opened the circuit breakers that took the substation o�ine. The worker stared in disbelief as he watched the cursor move to a dialog box on the screen to con�rm that the circuit breakers were to be taken o�ine.
In that moment, thousands of residents had just lost their lights and heaters.
The operator found that the mouse would not respond to his commands and continued to take additional breakers o�ine. Then, the machine logged him out of the control panel. Trying to log back in, the worker found that his password had been changed, and he could not regain control of the system. All he could do was stare hopelessly at the screen as the machine clicked o� breaker after breaker, taking 30 substations o�ine. At the same time, two other power distribution centers were hacked, plunging 230,000 residents into the dark and the cold of winter. The operators themselves were fumbling in the dark. Real physical damage from a cyberattack.
C 5
11
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 9/24
Case 5 In 2008, cyber terrorists hacked into the majority BP-owned Baku-Tblisi-Ceyhan pipeline in Turkey causing an explosion with �ames as high as 150 feet. Previously, the Baku-Tblisi- Ceyhan was believed to be one of the most secure pipelines in the world. But in this attack, the terrorists in�ltrated the pipeline through a wireless network, tampered with the systems and caused severe physical damage. The U.S. has millions of miles of pipelines that distribute oil, hazardous liquids, natural gas and chemicals. Many of these can be reached above ground simply by walking up to them (providing for physical attacks) and also seem to be vulnerable to cyberattacks that can in�ict the same kind of serious physical damage as physical attacks.
NSA Director Admiral Michael Rogers said in November 2014 that several foreign governments had already hacked into U.S. energy, water and fuel distribution systems, potentially damaging essential services, according to Bloomberg.
Case 6
At a recent DEFCON conference, Dennis Maldonado, security consultant at KLC Consulting showed exactly how to hack into a variety of common access control systems, providing access to anywhere in the facility to persons who had no authorization whatsoever to be there. Physical access via a cyberattack.
At another DEFCON, Jason Ostrom and Arjun Sambamoorthy demonstrated how to hijack various common video surveillance systems and extract, record and replace video on their servers, providing attackers a way to replace video of a physical intrusion with looped video showing no intrusion.
Case 7
As a global security consultant, I sometimes get called to evaluate system weaknesses. Here’s an example of one involving a physical security vulnerability to IT attacks.
At an overseas facility that had switched out all of its exterior analog security video cameras for IP cameras, I noticed that bare IT cables were attached to a wall in a publicly accessible parking structure (one could simply walk into the structure). Following the cables, I discovered that the cable was an un-conduited connection to a small consumer-grade digital switch contained within an electrical panel near the parking gate.
This panel sat on a raised curb next to an adjacent parking space, and the door swung into a walkway next to the parking space, making the panel accessible to the parking space. The lock on the panel was broken, so it could be opened by anyone and there was no tamper switch on the panel, so no alarm would have been reported upon opening the panel. The digital switch inside the panel served several IP cameras, two security intercoms and an access control panel, all located near the parking gate.
12
13
14
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 10/24
Sni�ng the connection, we realized that unencrypted tra�c on all of these systems �owed through the digital switch. This parking space provided unhindered access to the security system IP network including the video servers and access control system servers. In other words, using information readily available on the internet, this security system could be hacked into while sitting in a car in the public parking structure, providing the hacker with the ability to remotely unlock vehicle gates and doors, bypass alarms, guide the intruder through the facility and into the most restricted areas of the facility, and after having left, he could overwrite the video with looped video showing no intrusion during the time period of the intrusion. Because this was an enterprise-class system connecting every facility in the organization, the hacker could gain entry to any facility in the entire enterprise, all from the comfort of his car.
This would classify as a failure of both IT and physical security for the organization on a colossal scale. And we see things in some way like this almost every month.
IT and Physical Security – Or Just One Security Model Including Both?
Have one goal: overlapping security. Understanding that IT security attacks often involve physical security breaches and physical security breaches sometimes involve IT security hacks means a dedication to both is necessary.
From the illustrations above, we can see that an organization’s physical security and their IT security are each at risk from vulnerabilities in the other. One cannot secure their organization without securing both properly. Each is dependent on the other. While lawsuits against organizations involving physical security insu�ciencies abound, failure to comply with IT security requirements, particularly HIPAA (Health Insurance Portability and Accountability Act) compliance, can have truly profound and devastating e�ects on the organization and individuals within the organization who violate HIPAA guidelines and regulations. In one case in 2010, a former UCLA Healthcare System surgeon was sentenced to four months in prison for a HIPAA violation. In April 2013, Helene Michel, the former owner of a Long Island, N.Y., medical supply company, was sentenced to 12 years in prison in a case that included criminal HIPAA violations.
Compliance violation �nes can also be severe. In 2014, a New York Hospital and major university were �ned $4.8 Million for HIPAA violations. Small businesses are not immune either. Mom and pop businesses have been hit with �nes and remediation costs, legal fees and others totaling up to six �gures. Since October 2006, Visa has levied $3.3 million in �nes for post-incident discovery of non-compliance, with more than 80 percent of the credit card breaches having occurred at small businesses. It’s not any better for enterprise class organizations. “… Target incurred a $162 million loss over 2013–2014 after its data breach, in addition to experiencing a staggering 46 percent drop in pro�ts in the Q4 2013 holiday shopping season immediately following the attack. More recently, the company has agreed to pay $67 million to �nancial institutions that issued credit cards for which the security was compromised in the breach. And now the courts have opened the gates for banks a�ected by the attack to �le additional class action suits against the retailer.” And this does not include the long- term loss of business due to the damage to their business reputation. Data loss incidents can be very, very expensive.
15
16
17
18
19
20
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 11/24
The “Ponemon Institute 2016 Cost of Data Breach Study: Global Analysis” reported that the average organizational cost of data breach in the U.S. rose from $5.85 million in 2014, to $6.53 million in 2015, to $7.01 million in 2016.
So compliance with IT security standards is essential to the welfare of the organization, whether large or small. It is essential then, that organizations large and small secure both their IT systems and data, and their physical access to the facility containing sensitive information, whether in paper or binary form.
A Compliance-Based Data Loss Protection Plan
A comprehensive IT/physical security program requires a plan. Nearly every organization today falls under one or more data privacy compliance standards. This is not only one of the best ways to start a data protection plan, but to take any other approach risks putting the organization into non-compliance and subjecting it to legal penalties.
The major compliance standards include:
HIPAA (Health Insurance Portability and Accountability Act): HIPAA applies to any business that touches health care records with personally identifying information (PII), including hospitals, clinics, senior care facilities, pharmacies, even janitorial �rms and security �rms, etc., that could see such records in a health care environment.
SOX (Sarbanes Oxley Act of 2002): SOX is designed to protect shareholders and the public from accounting errors and fraudulent practices from a�ected organizations.
FISMA (Federal Information Security Management Act of 2002): FISMA protects government information, operations and assets against natural or man-made threats.
GLBA (Gramm Leach Bliley Act): GLBA requires many companies to protect themselves against unauthorized access, anticipate security risks, and safeguard a consumer’s nonpublic information. It also prohibits individuals and companies from obtaining consumer information using false representations. GLBA also gives consumers privacy notices that explain the institutions’ information-sharing practices.
FERPA (Family Educational Rights and Privacy Act): FERPA gives parents access to their child’s education records, an opportunity to have the records amended, and some control over the disclosure of information from the records.
PCI/DSS (Payment Card Industry Data Security Standard): PCI/DSS is the premier compliance standard in the private sector and it applies to any business or individual that is processing payments by Visa, MasterCard, American Express, Discover and JCB. Companies and organizations perform validation annually, by an external quali�ed security assessor (QSA) or by a �rm-speci�c internal security assessor (ISA) who creates a report on compliance (ROC) for those companies that are processing large volumes of transactions. For smaller companies, a self-assessment questionnaire (SAQ) is used.
21
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 12/24
These are the most common data privacy protection compliance standards. There are additional federal, state and contractual standards that may apply.
There is a huge security exposure for any organization accepting credit card payments. These businesses are easy targets for hackers due to the inadequate technical security provisions available from the credit card industry, and the penalties and all of the risk have been pushed down from the �nancial institutions and payment processors, down to the companies that accept credit cards. Finally, the �nancial penalties for non-compliance for businesses that accept credit cards can be crushing, especially on small and medium-sized businesses.
It is unlikely that any single organization will be held accountable under more than a few of these requirements. But it is certainly necessary for every organization today to understand which standards and acts they are held accountable under. Remember, penalties for non- compliance can be severe, and for small businesses, it could mean the end of their business.
The following is a 10-point plan to get any organization to full compliance with government (HIPAA, SOX, FERPA, GLBA and FISMA, etc.) and contractual obligations (PCI/DSS), and can also help secure the treasured data from unauthorized access, disclosure and harm.
1. Get a “C-Level” Commitment to Security
C-level executives set the culture for the entire organization. Others follow their example. When a C-level executive short-cuts security measures, you can expect that others will too. When they are scrupulous in following security policy, others will be too. So commitment from the “C-suite” to security policy is essential to the success of the program, and essential to the success of the organization. This commitment minimizes not only the organization’s risk of security incidents themselves, but also minimizes the organization’s risk of �ndings of negligence related to a compliance-involved security breach, which may occur no matter what security measures are taken. It is important to understand that security breaches do occur, even to the best prepared organizations (the NSA, for example). And when the compliance auditors come to examine the breach, a �nding that the organization has taken reasonable measures to prevent and mitigate a breach goes a long way towards keeping any compliance �nes as low as possible, or nothing. Obvious non-compliance, the lack of a coordinated security program either in IT security or physical security can result in six-�gure �nes, and for some individuals, jail time.
One of the C-level executives should be named as the chief security compliance o�cer. This is essential because, in the event of a compliance-related security breach, the C-suite will be held responsible by the compliance agency for the breach and may in some cases be held individually responsible for �nes and other penalties. It is far better for a C-level executive to take that responsibility on so that the security program has guidance from a company o�cer who is committed to the success of the program, and the authority to ensure that commitment is followed by everyone in the organization.
22
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 13/24
2. Know Your Legal Obligations for Data Protection
Few organizations thoughtfully realize that security is part of the core mission of their organization.
Every organization begins with a mission. It develops programs in support of that mission, and those programs acquire four kinds of assets:
people: employees, contractors, vendors and customers
property: real property, �xtures, furnishings and equipment including IT systems
proprietary information: information to be safeguarded, especially under mandated compliance requirements
the organization’s brand: the business reputation of the organization
Intrinsic in the sustainability of any organization is the obligation to keep those four classes of assets secure. Organizations often think of security as a non-revenue producing business unit that usually cannot display its value as well as, for example, the accounting department can. But a relaxed attitude about security can lead to disastrous results, especially in compliance areas.
Every organization must know the compliance standards that it is mandated to follow. Ignorance of such is not an acceptable excuse.
Compliance standards may emanate from federal or state laws or regulations, and are enforced by federal or state agencies, or by civil or criminal lawsuit.
Compliance standards may also emanate from private contracts with other organizations, such as �nancial or health care institutions.
Many small and medium-sized businesses may not even be aware that they are legally obligated to follow speci�c compliance standards, those legal obligations being part of a private contract that the organization may have signed. Those obligations have legal and �nancial rami�cations.
The two most common ways to determine what compliance standards your organization is required to follow are to �nd an attorney who specializes in data loss protection compliance law, or to use a software program such as ZenGRC from Reciprocity that walks you through a series of questions to determine which federal, state and commercial compliance standards may apply to your organization.
Understand What Assets Need Protection
Classify your assets by criticality. The top critical assets of every organization include:
23
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 14/24
people
business operations
business reputation (the brand)
proprietary information, especially compliance-related information that the organization is legally obligated to protect and defend
3. De�ne Your Risks
The simpli�ed risk formula R = P*V (Risk = Probability * Vulnerability) includes the probability of threat scenarios occurring multiplied by vulnerability.
IT security vulnerabilities include, among others, poor user authentication, inadequate and miscon�gured �rewalls, failure to read logs, rogue access devices, company data stored on personal devices, mobile devices, and unpatched and unpatchable devices.
IT security threats include disgruntled and negligent employees (insider threats), third-party service providers, malware (especially ransomware), targeted hacking and email phishing, among others.
Key mistakes include overreliance on security monitoring software, technology innovations that outpace security provisions, outdated operating systems, lack of encryption, organization data on unregistered user-owned mobile devices, IT “diplomatic immunity” within your organization, lack of management support, challenges recruiting and retaining quali�ed IT sta�, and failure to segregate IT security audit duties.
Firms should understand the source of threats and weigh the probability of being struck by each. For example, malware and phishing attacks have a much higher likelihood of occurring than a targeted attack. However the potential for damage from a targeted attack, if carried out, is much higher; especially against highly proprietary information such as compliance mandated PII, trade secrets, patents, formulas and the business reputation, etc.
Then, perform an IT system audit to evaluate the system vulnerabilities. This includes:
data loss protection measures (for data at rest and data in motion)
data backup measures (frequency, completeness and immunity from ransomware) … and don’t forget backup images of servers and workstations (operating systems, applications and con�gurations)
map the infrastructure
map the endpoints including wired, wireless and mobile devices including printers
24
25
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 15/24
map the operating systems in use by all servers and endpoints, ideally including patch/update status
review the IT security policies and procedures
review applications in use and their update status (understand that some applications may not be compatible with the latest patches of certain software on the machine, for example some apps may not work with the latest version of Flash, or the operating system may not be compatible with the latest version of an application … hint: operating system update is indicated)
All of this above establishes the IT security risk (R=P*V).
4. Perform a Gap Analysis
Compare what the organization is legally required to do for IT security (from a mandated compliance standpoint) with the vulnerabilities exposed in the system audit. The delta is the gap that must be �lled to be compliant. This forms the basis for the IT security implementation plan, which typically includes factors such as:
existing equipment and software (determines compatibilities and incompatibilities)
business culture (determines user interfaces, if applicable)
�nancial issues (for example, can the organization a�ord managed services vs. something less proactive?)
end user preferences, if any
5. Set Forth an IT Security Implementation Plan
The gap analysis will help create a roadmap for what policies, procedures, hardware, software and con�gurations are needed to bring the IT system from where it is now relative to full compliance, to where it needs to be to achieve full compliance.
Create an implementation plan from the gap analysis.
Budget and acquire necessary hardware, software and third-party assistance to implement the plan, prioritized by the highest priority assets and any exigent emergencies.
Schedule the implementation plan based on priorities above.
Implement controls for the minimum acceptable downtime.
Verify system operations after each part of the implementation plan to be sure that one doesn’t need to step back due to an incompatibility.
Verify that the desired readiness to pass a compliance audit is reached
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 16/24
Verify that the desired readiness to pass a compliance audit is reached.
6. De�ne the Physical Security Risks
The same four top critical assets apply to physical security for the organizations:
people
business operations
business reputation (the brand)
proprietary information, especially information that they are legally obligated to protect the privacy of
Again, Risk = Probabilities * Vulnerabilities. Probability is comprised of the applicable threat scenarios.
Determine Possible Threat Actors and Likely Threat Scenarios
Physical security threat actors may include terrorists, violent criminals, economic criminals, activists and petty criminals.
The possible threat scenarios will depend on the physical environment at the facility and the existing countermeasures in place. It is best to retain a quali�ed consultant to determine possible threat scenarios. Malicious IT threat actors who would gain access through physical vulnerabilities should be included in the threat scenario mix. From the list of considered scenarios, estimate the probabilities prioritized by asset criticality (focus on people).
Assess the Physical Security Vulnerabilities
An assessment of the organization’s physical security vulnerabilities should include a review of:
where unauthorized access may be occurring, or could occur
where entrances and exits to critical spaces may not have a quality working security video camera
where undetected and/or unobserved intrusions could occur to the property, the buildings and critical areas within the buildings
the access control process to make certain that access credentials are su�cient, up-to- date, and that the access control database is current and that granted access areas are kept up-to-date to be appropriate for the users
the physical security policies and procedures, including hiring background checking as it relates to security vetting, and look for any discrepancies against the needs of the organization
current security sta�ng to be certain that it �ts the current needs of the organization
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 17/24
Calculate the Risk: Risk = Probability * Vulnerability
7. Perform a Physical Security Gap Analysis
Review the risk analysis and create a gap analysis from the remaining vulnerabilities after looking at the risk minus the existing mitigating measures.
8. Create a Physical Security Plan
From the gap analysis, create a proposed physical security implementation plan, which will include:
update to physical security policies and procedures
policy driven vulnerability patches (additional card readers, alarm points, video cameras, intercoms, etc.)
updates to security sta�ng, if needed
budget and acquire necessary security hardware, software, con�gurations and sta�ng
implement the plan
review the results to be sure it is meeting the needs of the organization
9. Training and Testing
Both IT security and physical security policies need to be pushed out to employees in a way that can help ensure the success of the program. Employees who are not aware of security policies cannot be expected to follow them. Review C-suite security policy compliance and remind if necessary that employees emulate what they see from upper management.
Employee training and compliance involves �ve elements:
Update the employee policy manual and ensure that all employees sign o� on the updates.
The Compelling Case for Unifying IT and Physical Security © 2016 Security Industry Association 14
Provide ongoing training on areas of widespread non-compliance.
Counsel individual employees on individual non-compliance.
Test employees on compliance (bait phishing emails, be observant of employees who indicate resistance to security policies and may have expressed a willingness to circumvent the security policies and record the non-compliance for counseling).
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 18/24
Discipline (advisory notice, up to termination) for repeated evidence of non- compliance.
10. Putting It All Together
When developing the security plans for both IT security and physical security, pay special attention to how cyber risks can create physical security vulnerabilities and how physical security risks can create cyber vulnerabilities.
Cyber risks that can create physical security vulnerabilities:
IP devices outside the skin of the building that are not on their own VLAN and �rewalled
digital switches that h ave open unused ports
no VLAN between the physical security system and the organization’s business network
shared physical security/business IT system servers
unencrypted communications on the physical security system (should be encrypted all the way to the endpoints)
switches that are not “locked” onto the MAC address and (if possible) the chipset of the attached endpoint, allowing a replaced device attack
switches that are not con�gured to lock out any device if the connected device is disconnected (I know, it’s a pain to reprogram each time you replace a failed device, but this con�guration completely blocks anyone who unplugs a device and tries to tap into the new open port.)
Physical Security Vulnerabilities That Can Create Cyber Risks :
Pay attention to employee vetting. Ask the NSA about Edward Snowden, ask the Army about Private Bradley Manning, ask any organization about the one they took just because he looked good to the interviewer and turned out to be a criminal afte rwards. Every organization needs to have good criminal background and psychological vetting. And trust me, criminal background vetting can be done in a way that does not violate a paroled or fully served criminal from getting a good job. Just don’t allow a person with a criminal history in say, identity theft to get anywhere near personal identifying information.
Keep all cabinets with IP connection in them locked and �tted with an operating tamper switch.
Ensure that all digital switches, routers and servers are located behind locked doors (that are kept locked!), and the rooms they are in are �tted with motion detectors and security video cameras.
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 19/24
Keep security servers in locked racks �tted with tamper switches. Keep video cameras viewing sensitive areas out of the view of the public or non- quali�ed viewers.
Make sure that the physical security system is �rewalled and equipped with an IP intrusion detection system and that the �rewall and server logs are viewed or audited daily (best if by automated software, followed by a quali�ed analyst or manager for the �ltered log report).
Disconnect all USB and DVD drives on security workstations except for the workstation that is designated to export security text reports and video incident report DVDs.
Summary
Both IT security and physical security will always have exposed vulnerabilities. Increasingly skilled threat actors look for and exploit these vulnerabilities within each discipline, and increasingly across the chasm between IT security and physical security. There really isn’t a line anymore. Vulnerabilities in one system can and are easily being used to exploit the other. Compliance driven requirements can present great exposure to the organization, where vulnerabilities can be exploited. Organizations should blend both physical security and IT security programs for their own welfare, using specialists in each domain who work together to seal the doors against determined threat actors. This additional element will also further assist in reducing the organization’s liability exposure for any compliance breaches that may occur.
The risk model outlined in the paper is a simpli�ed risk model (to keep the text within length). Each of the elements discussed herein contain other constituent components that may need to be explored, especially if the case in point is an enterprise-class organization.
Constituent Components
Risk components:
probability (or likelihood)
vulnerability
(rank risks by consequences)
consequences (can be applied to each asset)
asset value to the sustainability of the organization
asset value to ongoing operations
asset value in terms of direct and indirect costs of a breach
Probability components:
h i
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 20/24
threat scenarios likelihood
Vulnerability components:
accessibility
surveillance opportunities
intrinsic vulnerability (with no countermeasures)
natural countermeasures
physical measures (locks, barriers, fences, lighting, etc.)
electronic measures (access control, video, communication, etc.)
operational measures
Thomas L. Norman ([email protected] (mailto:[email protected])) is global security consultant for Ingram Micro (http:/ / www.ingrammicro.com/ (http://www.ingrammicro.com/)).
References
1. Items 1 and 2 above are both referenced from Rand Corporation, “Emerging Threats and Security Planning – How Should We Decide What Hypothetical Threats to Worry About,” Rand Occasional Paper, Homeland Security Division, 2009, Rand Corporation. 2. PCI Fines for SMB businesses can reach up to $100,000 per month of non-compliance, possibly bankrupting some SMB businesses. PCI NonCompliant Consequences, http:/ / www.focusonpci.com/ site/ index.php/ PCI-101/ pci- noncompliant-consequences/ Print.html (http://www.focusonpci.com/site/index.php/PCI-101/pci- noncompliant-consequences/Print.html) 3. CSO Magazine, “Does a data breach really a�ect your �rm’s reputation?” by Doug Drinkwater, CSO, January 7, 2016. 4. Chief Executive Magazine, “Existential Threats: 5 Tips for Educating Boards on Data Security” by Brian Sta�ord, February 17, 2016, http:/ / chiefexecutive.net/ existential-threats-5-tips-for-educating-boards-on- data-security/ (http://chiefexecutive.net/existential-threats-5-tips-for-educating-boards-on-data- security/ ) 5. Security InfoWatch, “When will your data breach happen: Not a question of if but when,” by David Barton, March 10, 2015. 6. Cato Institute, “CATO at Liberty,” by Julian Sanchez, August 19, 2016, http:/ / www.cato.org/ blog/ nsa- hackers-hacked?gclid=CKGF15aK2M4CFdg9gQod_P8Ftw (http://www.cato.org/blog/nsa-hackers- hacked?gclid=CKGF15aK2M4CFdg9gQod_P8Ftw) 7. Business Insider, “Edward Snowden: Russia might have leaked alleged NSA cyberweapons as a warning,” by Rob Price, August 15, 2016, http:/ / www.businessinsider.com/ shadow-brokers-claims-to- hack equation group group linked to nsa 2016 8 (http://www businessinsider com/shadow
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 21/24
hack-equation-group-group-linked-to-nsa-2016-8 (http://www.businessinsider.com/shadow-
brokers-claims-to-hack-equation-group-group-linked-to-nsa-2016-8) 8. ARS Technica, August 22, 2016, “Hints suggest an insider helped the NSA “Equation Group” hacking tools leak,” by Sean Gallagher. 9. SC Magazine, “U.S. Veteran A�airs Department settles data breach case,” by Chuck Miller, January 28, 2009, http:/ / www.scmagazine.com/ us-veteran-a�airs-department-settles-data-breach-case/ article/ 126518/ (http://www.scmagazine.com/us-veteran-a�airs-department-settles-data-breach- case/article/126518/) 10. ThreatPost, “Botnet Powered by 25,000 CCTV Devices Uncovered,” by Chris Brook, June 28, 2016 https:/ / threatpost.com/ botnet-powered-by-25000-cctv-devices-uncovered/ 118948/ (https://threatpost.com/botnet-powered-by-25000-cctv-devices-uncovered/118948/) 11. Wired Magazine, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid,” by Kim Zetter, March 3, 2016 https:/ / www.wired.com/ 2016/ 03/ inside-cunning-unprecedented-hack-ukraines- power-grid/ (https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines- power-grid/) 12. Bloomberg Technology News, “Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar,” by Jordan Robertson and Michael Riley, December 10, 2014, http:/ / www.bloomberg.com/ news/ articles/ 2014-12- 10/ mysterious-08-turkey-pipeline-blast-opened-new-cyberwar (http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast- opened-new-cyberwar) 13. DEFCON Communications Inc., DEF CON 23 Presentation by Dennis Malsonado, KLC Consulting, https:/ / media.defcon.org/ DEF%20CON%2023/ DEF%20CON%2023%20presentations/ DEFCON-23- Dennis-Maldonado-Are-we-really-safe-bypassing-access-control-systems-UPDATED.pdf (https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23- Dennis-Maldonado-Are-we-really-safe-bypassing-access-control-systems-UPDATED.pdf) 14. ViperLab, Sipera Systems, DEF CON 17, “Advancing Video Attacks with Video Interception, Recording, and Replay,” by Jason Ostrom and Arjun Sambamoorthy, July 31, 2009, https:/ / www.defcon.org/ images/ defcon-17/ dc-17-presentations/ defcon-17-ostrom-sambamoorthy-video_application_attacks.pdf (https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-ostrom- sambamoorthy-video_application_attacks.pdf) 15. Outpatient Surgery, “UCLA Researcher Gets Jail Time for HIPAA Violations,” April 2010, http:/ / www.outpatientsurgery.net/ surgical-facility-administration/ legal-and-regulatory/ ucla-researcher- gets-jail-time-for-hipaa-violations-corrected-version--04-29-10 (http://www.outpatientsurgery.net/surgical-facility-administration/legal-and-regulatory/ucla- researcher-gets-jail-time-for-hipaa-violations-corrected-version--04-29-10) 16. InfoRiskToday, “Prison Term in HIPAA Violation Case,” by Marianne Kobasuk McGee, February 20, 2015, https:/ / www.inforisktoday.com/ prison-term-in-hipaa-violation-case-a-7938 (https://www.inforisktoday.com/prison-term-in-hipaa-violation-case-a-7938) 17. HHS.gov, “Data Breach Results in $4.8 Million HIPAA Settlements,” May 7, 2014, http:/ / www.hhs.gov/ about/ news/ 2014/ 05/ 07/ data-breach-results-48-million-hipaa-settlements.html (http://www.hhs.gov/about/news/2014/05/07/data-breach-results-48-million-hipaa- settlements.html ) 18. PMQ Pizza Magazine, “Don’t Let Credit Card Fraud Put You Out of Business,” by Tracy Morin, May 2016 http:/ / www.pmq.com/ May-2016/ Dont-let-credit-card-fraud-put-you-out-of-business/ (http://www.pmq.com/May-2016/Dont-let-credit-card-fraud-put-you-out-of-business/) 19. Braintree, “PCI Compliance Fines for Small Business Breaches,” October 17, 2007 https:/ / www.braintreepayments.com/ blog/ pci-related-�nes-for-breaches-at-small-businesses/ (https://www.braintreepayments.com/blog/pci-related-�nes-for-breaches-at-small-businesses/) 20. Chief Executive Magazine, “Existential Threats: 5 Tips for educating Boards on Data Security,” by Brian
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 22/24
Sign up for the SIA Update Newsletter KEEP UP WITH SECURITY INDUSTRY & SIA NEWS
Sta�ord, February 17, 2026, http:/ / chiefexecutive.net/ existential-threats-5-tips-for-educating- boards-on-data-security/ (http://chiefexecutive.net/existential-threats-5-tips-for-educating- boards-on-data-security/) The “Ponemon Institute 2016 Cost of Data Breach Study: Global Analysis” reported that the average organizational cost of data breach in the U.S. rose from $5.85 million in 2014, to $6.53 million in 2015, to $7.01 million in 2016. 21. Business Law Today, “The Practical Tech Lawyer: Advising a Company on Data Security Compliance,” by Theodore F. Claypoole, November 2014, http:/ / www.americanbar.org/ publications/ blt/ 2014/ 11/ 04_claypoole.html (http://www.americanbar.org/publications/blt/2014/11/04_claypoole.html) 22. Thomson Reuters, “Demonstrating how non-compliance can mean the end of a �rm or career,” December 3, 2014, http:/ / thomsonreuters.com/ en/ articles/ 2014/ demonstrating-how-non- compliance-mean-the-end-of-a-�rm-or-career.html (http://thomsonreuters.com/en/articles/2014/demonstrating-how-non-compliance-mean-the-end- of-a-�rm-or-career.html) 23. InformationWeek, DarkReading, “It’s Time to Treat Your Cyber Strategy Like a Business,” by Jason Polancich, January 9, 2015, http:/ / www.darkreading.com/ messages.asp? piddl_msgthreadid=22391&piddl_msgid=278778 (http://www.darkreading.com/messages.asp? piddl_msgthreadid=22391&piddl_msgid=278778) 24. Includes information from: CIO Magazine, “6 Biggest Business Security Risks and How You Can Fight Back,” by Jennifer Lono� Schi�, January 20, 2015, http:/ / www.cio.com/ article/ 2872517/ data-breach/ 6- biggest-business-security-risks-and-how-you-can-�ght-back.html (http://www.cio.com/article/2872517/data-breach/6-biggest-business-security-risks-and-how-you- can-�ght-back.html) 25. Includes information from: Berry Dunn, “The Top 10 Information Security Risks for 2015,” http:/ / www.berrydunn.com/ news-detail/ top-10-information-security-risks (http://www.berrydunn.com/news-detail/top-10-information-security-risks )
(https://www.securityindus try.org/2018/06/19/gauging- the-risks-of-connected- security-devices/)
(https://www.securityindus try.org/2019/08/05/sia- member-pro�le- aerodefense/)
(https://www.securityindus try.org/2016/04/01/it- security/)
SIGN UP (HTTPS://MYSIA.SECURITYINDUSTRY.ORG/NEWUSER.ASPX)
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 23/24
SIA Center of Excellence (https://www.securityindustry.org/knowledge-center/)
Member Resources (https://www.securityindustry.org/member-resources/)
Industry Standards (https://www.securityindustry.org/industry-standards/)
Industry Events Calendar (https://www.securityindustry.org/upcoming-events/events/)
Professional Development (https://www.securityindustry.org/professional-development/)
Facebook (https://www.facebook.com/SecurityIndustryAssociation)
Twitter (https://twitter.com/SIAonline)
LinkedIn (https://www.linkedin.com/company/53084?trk=tyah)
YouTube (https://www.youtube.com/user/SIAonlineTV)
Join SIA (https://www.securityindustry.org/join-sia/)
SIA Store (https://mysia.securityindustry.org/ProductCatalog/Default.aspx)
About SIA (https://www.securityindustry.org/about-sia/)
Member Directory (https://mysia.securityindustry.org/Directories/Browse.aspx? Type=Company)
Newsroom (https://www.securityindustry.org/member-resources/newsroom/)
Premier sponsor of ISC expos and conference. (https://www.iscwest.com/)
8405 Colesville Road, Ste 500 Silver Spring, MD 20910 (https://www.google.com/maps/place/Security+Industry+Association/@38.9949857,-77.03361 17,17z/data=!3m1!4b1!4m5!3m4!1s0x89b7c8b8f0321b85:0x43b6b8ecc4f67582!8m2!3d38.994 9857!4d-77.0314177)
Main: 301-804-4700 (tel://301-804-4700) Fax: 301-804-4701 (fax://301-804-4701) Email: [email protected] (mailto:[email protected]) Contact Us (https://www.securityindustry.org/about-sia/contact-us/)
9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association
https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 24/24
SIGN UP FOR THE SIA UPDATE NEWSLETTER CREATE AN ACCOUNT TO SUBSCRIBE TO OUR COMMUNICATIONS, INCLUDING OUR WEEKLY SIA UPDATE
AND OTHER MESSAGES.
Copyright © 2020 Security Industry Association · Privacy Policy (https://www.securityindustry.org/privacy-policy/) · Terms of Use (https://www.securityindustry.org/terms-of-use/)
SIGN UP (HTTPS://MYSIA.SECURITYINDUSTRY.ORG/NEWUSER.ASPX)
