In order to better defend IT systems, organizations should not only pay attention to technical defenses, but also look at physical threats.
Most IT organizations test and assess their systems for technical weaknesses an attacker can exploit, but IT departments should also take the perspective of physical attackers into account, said Rafal Los, chief security evangelist at Hewlett-Packard, and Shane MacDougall, principal partner at security consulting firm Tactical Intelligence, at a combined keynote during Black Hat Europe in Amsterdam.
Rather than taking the attitude of the good guys looking at the bad guys, white hat hackers and penetration testers should step into the shoes of the attacker to determine threats that are possibly overlooked using conventional threat modeling.
“Humans can be rather unpredictable unless you understand them well,” Los said, pointing out employees are often a weak link when it comes to securing networks and applications.
Security can suffer a breach in many ways, MacDougall emphasized. “If the IT team goes to a bar, the attacker can join them,” he said, adding attackers can use social media to keep track of real-time movement. After buying a few rounds and getting the team “appropriately lubricated,” it’s the perfect time for an attack. Later in the night when an attack on the network launches, the attacker can have a higher degree of confidence immediate response on the part of the IT team may not be forthcoming, he said.
Other methods to compromise security are blackmail, bribery or other incentives like sexual honey traps or exploitation of gambling habits. Also, attackers could target homes of executive employees or use social engineering attacks on the workforce.
“Disgruntled employees are really easy to find,” Los said. On the other hand, an attacker could use a devoted employees to gather information, by the attacker posing as a customer or related vendor.
To test these weaknesses, Los and MacDougall advise getting a whiteboard and making a list of all possible weaknesses, physical and technical. Then security testers should make a High Payoff Target List (HPTL) of employees, or assets, including highly ranked executives and security personnel. Other assets like sales personnel, vendors and support staff can add to that list, because they also can allow access enterprise or provide propriety information.
This target list can break down into points of attack. This way, the parts of the system readily compromised undergo identification. This way security workers create profiles of possible risks, including family members, hobbies, conferences, behavioral analysis and psychological and sociological profiling, among other things. Once that happens it is possible to assess the state of all the possible threats, making sure to note IT maintenance schedules. “Every year very secure systems are exploited if their defenses are down for 30 seconds, do you think that is an accident?” Los said.
As a next step, the company can test highlighted weaknesses for compromise. The attacks can range from on-site attacks to logical attacks and social engineering.
“You really want to identify as many users at risk of compromise in a company,” MacDougall said. This can also occur at conferences. “If they have a smartphone or entrance badge: Grab it and exploit it,” he said.