I'm writing a series of posts to follow up on my blog post titled "Data Loss Prevention - Without the New Blinky Boxes" which addressed some of the silliness that comes with believing that DLP comes in a box, or is a product you can buy to solve your DLP needs. Welcome to part 3 (part 1 here) (part 2 here)...
This post focuses on part of data loss prevention that comes from physical security interfacing with the technical security world.
While often missed, this component of security is one of the most critical when it comes to understanding, and fighting the loss of data in your organization in a very real, tangible way. There are three types of threats you want to be aware of from the physical perspective...
An attacker that is unaware that he or she is participating in an attack against their organization is particularly dangerous because of their appearance of innocence. When we are trying to hide malicious activities we give off micro-expressions, nervous twitches, or other signs that we're under stress... so when you can get someone who isn't aware they are exploiting an organization to do the dirty work and walk out with the bounty it's one of the best outcomes possible.
One of the ways this happens is when someone physically walks out of the building with corporate data they honestly didn't realize they were walking out with. All the wonderful technical security controls in the world won't prevent someone from picking up a decommissioned hard drive sitting outside the tech closet and taking it home with them thinking it's OK.
The crazy thing is this - these types of devices are often found on eBay, or sold at garage sales or given away to friends/family... without any regard for the type of data that's on these devices. I've personally seen people decommission and walk out with hardware they didn't know (legitimately didn't know) had corporate sensitive information on it... then put it on eBay without first putting a hammer or magnetic erasing device to the disks!
These are the unaware attackers - physical security can prevent this type of data loss by disallowing people from walking out with corporate devices, hardware without permission... and questioning everyone removing anything that appears non-standard.
Additionally, disposal of corporate assets falls under physical security as well! Sometimes people throw things away in a dumpster, say corporate sensitive documents, without realizing they should have been shredded... corporate physical security can find and correct this behavior before it becomes an incident.
Whether this is computer hardware, a stack of papers, or a stack of binders... asking questions to figure out what is leaving the corporate perimeter, why, and what will be done with it can prevent the unaware attacker from successfully leaking data.
I'm sure you've heard stories of people who have been blackmailed into attacking their own organizations - most of the stories read like spy novels. I can tell you for a fact that while some of these attacks are straight out of spy novels - many of them aren't quite so sexy.
Generally what you want to protect against in the reluctant attacker scenario is someone who is put in a bad position who will exfiltrate data from your organization and straight into the hands of a waiting puppet master. The physical security organization must be vigilant against employees, contractors, or visitors who act in inappropriate manners, and who attempt to exfiltrate data in any form.
A prime example from my own experience that does read a little like a spy novel is paraphrased like this... a call center employee who is struggling with her finances walks out to the employee parking lot to find an envelope tucked under the windshield wiper of her car.
The employee has a hand-written note that provides instructions for exactly what is requested in terms of data (credit card number, full name, social security number, phone number, address, etc), a USB stick to put the information on, $2,000 in cash and a photo of her daughter from earlier that morning in daycare.
The note is non-threatening, but firm and requests that the task be completed by the end of next week - slowly so as not to arouse suspicion - and that the result should be left under the wiper on the last Friday of the month much like this. The exchange will be another $8,000 a promise never to be heard from again... that is, if the employee keeps her mouth shut and does everything correctly.
The employee was terrified and did her job as the mysterious envelops instructed and left the information under the wiper on the USB stick - except that the physical security team was on the lookout and noticed that there was a stranger shuffling about the employee parking lot.
As the stranger made their way to this employee's car, physical security dispatched a call to investigate and upon arriving noticed the envelope and detained the stranger on company property for questioning... and called local law enforcement because the situation looked suspicious.
The employee was questioned separately and quickly unraveled the entire story, afraid for her child and life. With the help of the physical security team, the risk - at least in the near term - to the company and the employee was mitigated before it became a serious threat.
Perhaps the threat that physical security organizations can best assist with is that of the purposeful attacker. Someone who is trying to break into the server room to grab a hard drive, tape, or something else of value, the person who's opening up the "Shred" bins to try and pull out documents, or the contractor that stays late hours and tries to walk out with a backpack full of company secrets are the threats that can be spotted most readily by physical security teams.
At their disposal are technologies like badge systems, cameras and facial recognition systems, and training in detecting anomalous behavior. Physical security can, just like your information security program, handcuffed by poor funding resulting in poorly trained staff, poor technology, and permissive policies.
These all need to be fixed to a reasonable degree if your organization cares about data loss in any meaningful way. I've watched physical security teams catch attackers red-handed as they attempted to walk out with hardware that was ill-acquired claiming it was theirs. A great example of this is from a previous organization which employed inexpensive technologies and advanced techniques to ensure physical assets were not walking out of the organization's premises.
The examples goes that an employee was apparently disgruntled over being passed over for a promotion for a while, and had decided to supplement their income and personal hardware at home by taking some from the company.
Whether the activity was malicious or aimed at stealing data from the company is almost immaterial, and was never really determined but the attacker was caught nonetheless. You see, the physical security team had purchased asset tags for all of the company assets - laptops, servers, desktops, everything - and each asset was assigned and carefully cataloged to an employee.
When this employee attempted to walk out with a system that was not theirs the door guard noticed nervous behavior and stopped the employee for a random bag check on the assets... which made the employee even more nervous. A quick scan of the laptop in the backpack quickly revealed that it belonged to someone else... and not the employee. Busted.
There is going to be a 2nd part to this post, shortly, which will be the collision of the physical security + information security world... because there is a great need for a cross-over.
So you see, physical security actually has quite a bit to do with data loss prevention - if it's done right ... stay tuned for the next episode soon!
Cross-posted from Following the White Rabbit