1

You see far-fetched Hollywood examples of the most unlikely scenario's resulting in a data breach due to a lack of physical security. An example is in Mr Robot where the protagonist gets into a data warehouse and plants a rogue Raspberry Pi to destroy all the data. While unlikely all the conditions that occurred would happen...they could. Due to that almost all security standards and frameworks have large sections on physical security policies.

I'm currently dealing with an argument where the risk is 1 in a million that the 4am milk lady who delivers without supervision to the fridges walks past the server closet that has been left open and decided to plug in a rogue device.

While yes its laughable it would happen...it could. More so I see the risk in 10 years time where the milk lady is replaced with someone more motivated and process has not changed. Both the server closet being open, and unsupervised guests to particular area's are large risks.

But to executives it just seems too movie-esque for the them to take it seriously. Is there any large corporation breaches due to a lapse in physical security that could be used as supporting evidence to justify the case for improvement?

Cyassin
  • 503
  • 2
  • 6
  • 12
  • 8 years in this field tells me that while the "risk" for the attacker is higher in attempting an attack which requires physical access, it is also where there is the biggest margin for exploitation and many many vulnerabilities to be exploited exist. But this is strictly an opinion based question. With keyboard skimmers/miniature cameras/cheap cellular data easily available, physical security is probably one of the more important aspects of Infosec today. And as the answer below says, no one will publicize cases willingly where their physical security lapse led to a data breach. – Fahad Yousuf Oct 05 '17 at 10:53
  • 1
    At a colleagues workplace all plugs on vacuums were replaced with a different format and special sockets were put in after a cleaner unplugged a server rack to plug one in. – Hector Oct 05 '17 at 13:03
  • If you don't control access to your servers at all now, I expect something bad will happen in the future though I'd suspect a disgruntled employee far more than the milk lady. I imagine everyone runs with admin privileges as well. :) – topshot Oct 05 '17 at 13:36
  • @topshot the servers are generally locked, but they live next to the kitchen and ive on more than one occasion seen them left open with a chair to prevent them from locking. Policy and controls should be in place to prevent the server been left open, and to prevent unsupervised access from the milk lady. – Cyassin Oct 05 '17 at 23:19

3 Answers3

2

Such breaches are topics for security breach engineering (through human being weakness, mechanical breach). No organization is willing to risk their reputation to show their blunders.

All you can do is audit possible scenario and implement correspondence policy.

Take the milk ladies as an example, a camera and double access door, plus a 10 seconds door open alert alarm will prevent breach due to physical entrance breach by negligence.

It is possible to implement similar control for important facilities like CDC (central of disease control), but not all enterprise has the resources to implement such control. So some level of damage control must also be implemented to confined possible breach.

mootmoot
  • 2,387
  • 10
  • 16
  • Worth noting this all comes down to risk vs cost. For a small company dealing in nothing controversial the risk of somebody specifically targeting them to the level of replacing / impersonating delivery staff is pretty slim. You could also expect staff to recognize someone unusual in the building. For a large corporate even your own staff should only have access to server cabinets for maintenance. – Hector Oct 05 '17 at 13:08
  • @Hector well, someday, little robot that can sneak into narrow air duct to do the job. ;-) – mootmoot Oct 06 '17 at 08:44
1

Three examples come to mind, but it would be great to find more:

The Schwartz fallout covers a different kind of risk. If you don't have sufficient controls in place, honest people can make mistakes, and the reprecussions can be damaging to the organization.

A different kind of example might be malware which is designed to spread using USB keys or similar, e.g., Flame. "... victims including governmental organizations, educational institutions and private individuals." Although this may not help resolve the issue of executives discounting it as "too movie-esque".

If I were an attacker, I would look towards compromising your tech support staff, facilities people, physical security personnel and vendors before I would think about the milk lady. She has so little opportunity to do anything.

mgjk
  • 7,535
  • 2
  • 20
  • 34
1

There are numerous stories from physical penetration testers. Seek those out. The common scenario is someone walking in with a windbreaker with "FIRE" on the back saying they are from the local fire department doing a site survey. They get unrestricted access to everything and no one asks questions. The testers plant all kinds of rogue devices on the premises.

The issue with the milk lady is that she might become motivated by an outside party. Blackmail, extortion, bribes, etc. And all the lady has to do is to "plug this USB stick into a server". I have personal stories that I simply cannot share on this example.

I would not say that it is laughable at all. There are very sad tales out there by people who ended up having no choice.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Do you know of any real-world examples which could be shared? (i.e., not pentests and not hypothetical) – mgjk Oct 06 '17 at 14:29
  • @mgjk it's actually so common, nothing comes to mind. I have all kinds of stories where janitors unplugged servers to plug in vacuums, and such. But they tend not to make the major news. Everything I know of, I cannot share. The pentest examples could easily be carried out by malicious actors, though. I'm not sure why you would discount them. – schroeder Oct 06 '17 at 15:50
  • I think @Cyassin's point is valid "But to executives it just seems too movie-esque for the them to take it seriously". None of these janitors plugging in vacuums are examples of large scale breaches. Pentests can be discounted because although the mechanisms of their exploits are realistic, their risk and motives are not. – mgjk Oct 06 '17 at 17:25
  • @mgjk but the vacuum example is an instance of a complete production database wipe. Not a breach, but still in the top of the risk analysis (CIA). Pentests expose actual risk - if a pentester can do it, nothing stops a malicious actor, so no, you cannot discount pentests. Likelihood and impact remain constant. – schroeder Oct 07 '17 at 10:52
  • Likelihood and impact are completely different. If you stake your reputation on being able to compromise a DC, I then pay you to break into my DC and give you a "get out of jail free" card, I think I've significantly made it more likely that my DC will be broken into. – mgjk Oct 07 '17 at 12:03
  • Maybe approaching it from the angle of protecting innocent mistakes *is* easier than arguing megabreaches. Personal examples would include a floorbuffer flinging a server across an unlocked lab, a rock-hammer-drill plugged into a sensitive UPS, a breaker panel accessed by a frustrated electrical contractor allowed in by security who needed to "check something" tripping a whole row of breakers. etc.none of these made the news, they likely sound like made up hypothetical situations to execs. – mgjk Oct 07 '17 at 12:12
  • @mgjk I think you missed an important point. You mentioned 'risk'. Risk is commonly measured by the relationship between likelihood and impact... You responded as though risk, likelihood, and impact have no relation .. – schroeder Oct 07 '17 at 12:34
  • No, I didn't miss it. The probability of occurrance is greatly increased by removing the perpetrator's risk of incarceration and actively paying them to attack you. It effectively removes controls which you're paying for with your taxes and provides incentive where none may have existed before. – mgjk Oct 07 '17 at 12:38
  • @mgjk Ah, so you meant, "The Likelihood and impact are completely different in a pentest". But, even if the likelihood increases, they are *real* examples that make the whole thing less movie-esque ... they are actual instances of physical weaknesses resulting in exposure. – schroeder Oct 07 '17 at 12:59