Hack the Corporate
Since I was a kid I liked to dismantle all kinds of things to see their guts, how things work… and how to improve them or make them work differently or more efficiently. Over the years I applied that same thought to security, I even collaborated in some projects aimed at verifying protection failures in public and private security, installations and military systems, I didn’t know it, but I was a hacker.
The convergence of the physical and the virtual security exists from the first moment that someone decided to access the Pair of a telephone line to use this means of communication with criminal purposes, to say the mythical Blue Box that issued telephone pulses allowing disable systems remotely.
Physical and cyber security have been entwined since the very first security system was disabled remotely.
The ostrich is installed in almost all organizations
During my 30 years of career, I have had the opportunity to know first hand, a relevant issue:
Many organizations don’t like to know their security holes and they trust to hide them thinking that the enemy will not see this fact, when is just the opposite, they already know, it’s what I call Protection of the Ostrich, the term is not original but very eloquent.
Here also it is convenient to keep in mind the typical security holes cases due to the internal enemy, the “insider” that compromises the physical and virtual security … and very often the physical from the virtual environment, something that is critical in IoT environments and Public Institutions.
- Malicious Insider: Those trusted employee’s who intentionally steal and compromise the organization, some times we find them at a high executive level.
- The Naive or Ignorant Insider: the most dangerous in my opinion, because nothing is worse than ignorance and stupidity working together. Those employees, despite awareness training and internal security controls, find a way to compromise the company
- Criminals: External attackers who establish unauthorized access, operating from inside our systems and exploit gaps in visibility and security controls.
The convergence of Physical and Virtual Security
The second issue is the convergence of Physical Security and Virtual Security, or to define it in more concrete terms, the necessary collaboration of the InfoSec in any security program and personal and patrimonial protection of the corporate world, or HomSec in the field of National security. All relevant security technologies are interconnected via the Internet or use Wireless technologies.
We know thanks to sciences such as psychology or anthropology, that the human being bases his confidence, in the closeness, recommendation, and personal knowledge, over the official qualifications or years of work experience. We ask the co-worker if he knows a good doctor and the neighbor if he knows of a good computer, but I doubt that anyone would read the CV of the doctor or the “handyman” on duty, the word of a close person is very powerful. ? That is why we chose the holidays hotel following the five-star recommendation from the travel platforms on the internet.
How do we look for a security officer? asking those who already have a security department or close friends to security intelligence agencies? How do we hire an expert in information security? In the same way, we always go to the nearby. Despite this, the new AI-based recruitment models are changing that paradigm somewhat, although it is true that cv’s are now written with keywords in mind to be read by a machine, it is the sign of our time.
In general, the recommendation has more power than a CV, with similar knowledge characteristics obviously, in terms of security, resource management, management, it is increasingly important in the face of technical knowledge that can be delegated to subordinates with specific knowledge of the subject. For example, I have several clients that have staff in possession of all kinds of certifications in Cybersecurity, including InfoSec, Comptia + security or CISSP, they resort to who writes, for the design of Physical Security because they know that it is a field that I handle with fluency. In return, for sure they would never call me to mount a rack of servers under Linux in critical infrastructures or deploy an Azure container for a new web application on the Cloud.
Speaking about security, what is the main problem that we find security directors and security executives?, that in general, companies do not want to know all their vulnerabilities.
They fear to be exposed and adduce the cost of security, when in fact it is an operational investment that helps reduce security gaps, decrease the effects of a provoked or incidental incident and directly affects business continuity for good or bad, and we know what is the result of failing the Business Operations.
A recent case we have on the table is the sanction to British Airways, £183 million for a breach that gave access to its database, breaking GDPR regulatory standards. I am sure that this figure of the sanction, is quite greater than the investment in security, without entering in the Reputational Cost and Stakeholders relations. (1)
In history we have many cases of hackers, in the strict sense of the word, who analyzed and broke the security system, communicated the fact in a friendly way to the affected companies and they hid it until the disaster happened, the failure was made public or the hacker himself decided to publish the story to protect the users.
I’m not talking about institutional projects like the Red Team, in the early days of Seal VI with Dick Marcinko, or our own cover projects in Spain, I mean much more mundane things:
- Unreliable padlock: A maker of boasting exceptional locks until a locksmith apprentice kid opens it in less than a minute, the company accuses him of wanting to harm them, when in fact what he does is protect users from buying something that does not fulfill its purpose as it would be desirable.
- Remotely accessible vehicle: apparently a hacker finds a fault in a Jeep vehicle, communicates saying that it is possible to access the system remotely and the US company does not bother to answer, after 6 months the hacker makes public the news and it is when the automotive firm takes actions, late and with its reputation compromised. (2) (3)
Companies often rely on the supposed “secret of that failure” that the public does not know, to justify the need for silence and concealment of the fact, when in reality it represents two things: a lack of respect for the client, disregarding their safety and … an ostrich-like ignorance, which hides the head thinking that they will not see it. The offender knows the security problems of his target, he learns, trains and gathers information and, the general ignorance of the public doesn’t mean anything but another opportunity for the criminal.
And so we come to what we call “Virtual and Physical Convergence”, where security measures are crossed and a new security executive is appearing, directors and security chiefs with extensive knowledge of both worlds, able to combine in a single person the management of both environments, because security as we knew it has died, everything is based on technologies that are operated by humans, with its serious failures of “programming”, errors, infidelity, betrayal, pressure, bribes or threats are some of those weak links in the chain. , hacking the cor
On the other hand, machines and technological means still do not design the policies and procedures of a security system, so that we again, the human beings the key part of the security, we design the project and its execution, we implement, we supervise… but we can do it thinking out-of-the-box, hacking the corporate security standards to move forward, trying to be one step forward of the criminal, and no one behind as usual.
The convergence of the Virtual and the Physical is here to stay, but this would only be words if we do not transform them into action.
In my next article, I will talk about why the Operative Intelligence Officers are so popular in the security industry, and why so many crossed skills are a benefit in many kinds of organizations.