Everyone enjoys a good heist movie, where a gang of thieves use a combination of tactics, such as burglary, hacking or social engineering, to break into a place that everyone assumed to be completely secure and ultimately run off into the sunset with their loot.
Hollywood pushes the limits of what is believable, but when it comes to cyber vulnerabilities, this scenario has elements of reality.
While it is unlikely that most companies will ever have to face a well-funded burglar attempting to carry out a physical robbery, the Hollywood heist stereotype has a new meaning in the digital age.
Cyber criminals will use a variety of methods to scan for and take advantage of vulnerabilities. Because of this, cyber security needs to bridge the gaps between security operations (SecOps), network operations (NetOps) and physical security teams if it is to successfully prevent cybercrime.
Alone, these groups are stuck with a single piece of the puzzle, and this is a fact which attackers are only too eager to exploit.
First, it may be helpful to examine a scenario detailing how an attacker could plan and carry out the theft of intellectual property (IP) from an enterprise.
The malicious actors identify the IP they want. After identifying the target, the attackers profile C-level executives and craft a targeted email attack against the CFO.
Once they enter the CFO’s system, they get information on where the engineering team is designing the next product and move to the physical part of their attack.
They would either drop a series of infected USB sticks in the parking lot of the building or tailgate an employee into the premises.
Once access is gained through malware on the USB, or physically by the tailgater, the attackers can access the schematics and achieve their goal.
It is clear that a successful attack can blend both cyber and physical elements seamlessly. But how does this apply to the enterprise?
One of the major problems that most organisations face is that their SecOps, NetOps and physical security teams report to different executives: SecOps is the responsibility of the CSO, NetOps of CIO and physical security of the COO and CFO.
These three teams are also given different objectives, which widens the cooperation gap. SecOps are responsible for keeping the networks secure against cyber attack, NetOps keeps the network operating as fast as possible, and physical security team secures company’s assets and personnel on location.
These factors, in addition to separate budgets and objectives that can conflict each other, combine to create gaps that attackers seek to exploit.
If the organisation’s IT and security teams are structured in this way in our hypothetical scenario, the malicious actors are likely to succeed, even if one of the attempts is thwarted.
This is because in a siloed corporate structure, one team may not hear about another team being hacked, thus not realising that they should check their own systems.
However, if the security teams communicated with each other, they’d be more likely to verify the security of their own areas.
>See also: Anatomy of a data heist
One of the ways that the problem of lack of cooperation can be solved is by appointing a single executive sponsor to overlook the SecOps, NetOps and physical security teams and to ensure all elements of the security program are working together.
If an attack happened in an organisation structured that way, reports of both the physical and cyber intrusion would be shared between the physical, IT and cybersecurity teams.
Each of them would then examine their processes, policies and technology to determine where the shortcoming was and how it can be fixed.
In the scenario outlined above, this would include re-imaging the CFO’s hard drive, blocking command-and-control activity, tailgating awareness training, enhanced physical security for high-priority assets, and more.
Budget savings can also be made by coordinating the security team, as each one of them would leverage the investments of the others.
For instance, if IT chooses a new next-generation firewall but it doesn’t provide the log data and prevention mechanisms that SecOps needs, they will end up buying and deploying one that does.
As a result, the cost is doubled while adding another security device to the network also has an operational impact.
If there were one executive responsible for overseeing all groups, that person could influence the firewall purchase decision to address the combined needs.
Increasing communication between your security teams therefore, has clear and significant benefits to your organisation when it comes to making sure all areas are protected from cyber threats.
It not only provides better security, but also saves time and resources, meaning that your organisation is prepared and ready to prevent malicious actors from exploiting these gaps and carrying out a successful widespread attack.
Sourced by Greg Day, VP & CSO at Palo Alto Networks