The Hackers Are At The Door
Cyber Security Considerations for Physical Security Deployments
In a world where virtually all devices of an electrical or mechanical nature can be connected to the Internet, physical security deployments can be rendered compromised or even completely useless should an remote adversary gain access.
This will likely occur when the level of InfoSec (information security) defences deployed to protect these assets is inadequate or poorly configured. An adversary who deems information so valuable that it justifies the intrusion will stop at nothing to compromise these systems. Given the plethora of automated hacking tools that exist, the anonymity enjoyed by these miscreants and the relatively low risk of prosecution, the likelihood of a breach is high if your organisation does not address information security risk appropriately.
Success in protecting your InfoSec assets relies on the acceptance that just like physical security, InfoSec is impossible to guarantee. Rather, the objective of information security is to make it so difficult for a would-be intruder to break into a system that it’s simply not worth their effort and they try elsewhere.
The Federal Government’s Mandatory breach disclosure legislation will come into effect on the 22nd of February 2018. Breaches that occur due to poor information security deployments will incur the wrath of the Federal Government’s Privacy Commissioner, who will deem lax information security controls to be a poor excuse when determining punitive damages against culpable organisations. Organisations should evaluate the reputational and business risk associated with a cyber breach and prepare adequate risk treatment plans to mitigate this risk
In considering where to begin devising your InfoSec approach, start with planning your strategy. Focus should be placed on:
- Establishing your clients’ levels of expectation
- Gaining your clients senior leadership buy-in
- Educating your client on why the appropriate information security posture is in their interest from a risk and compliance perspective.
- Determining responsibility for establishing, maintaining and monitoring controls.
- Designing the appropriate InfoSec controls that will protect the client’s environment, including technical controls, administrative controls and of course the physical controls.
- Ensuring that any disaster recovery or business continuity plans are updated to accommodate InfoSec related disruption events.
- Scheduling compliance checking and auditing of InfoSec systems to ensure that the systems are operating at the desired levels.
- Accepting the notion that it’s not if a breach will happen but when a breach will happen, ensuring that contingencies for such an event are planned for, rehearsed and evaluated.
- Accepting that information security is not a-one-size-fits-all, nor is it set and forget.
- Documenting your plans, procedures and policies and making them easily accessible to the relevant personnel.
Once an Information Security Strategy has been devised, it needs to be implemented. A number of key areas will need to be addressed in order to meet the goals of a well-defined strategy:
- Deploying technical controls to secure your network, devices and electronic infrastructure. Within the physical security realm, it is critical to “harden” from a software perspective all IoT devices and networks. Complementing this, ensuring that access to these devices both physically and logically is restricted to authorised personnel only.
- Ensuring that software, firmware and applications are kept up to date. Ensure that patch management for all devices is planned for and implemented (including cameras, network switches, routers and IP based devices) and application / operating system updates are deployed as soon as practically possible.
- Securing any cloud-based services that the organisation may be using.
- Having a complete and verified backup of your data and ensuring that disaster recovery testing takes place regularly to ensure that backed up data is complete, accessible and that any restoration of services from backup systems meets an organisation’s down time limits
- Ensuring that your strategy addresses user education and awareness. For example, accidental data loss can come from a user choosing a weak or easily guessed passwords or a user inadvertently sending an email to the wrong recipient.
- Leveraging the services of a suitably qualified managed information security provider who can assist or augment your organisation’s skillset with the experience needed to provide the best possible InfoSec protection.
- Involving legal counsel in your strategy, whether it may be internal counsel or an external firm who specialises in information security law.
- Transferring any residual risk to an appropriate cyber breach insurance policy that will insure against the costs associated with an incident response should a breach occur.
- Committing to regular InfoSec assessments, audits and reviews by an accredited and specialised external provider.
Deploying good information security controls will take effort and focus to achieve and will require constant vigilance. However, when properly planned, executed and maintained, these controls are both indispensable to the resilience of the organisation as well as vital to the long-term success of any electronically based and connected physical security deployment.
Story credit: Tony Vizza, Sententia