Physical and Cyber Attacks

1
Physical and Cyber Attacks
2
Inspirational Quote

• Country in which there are precipitous cliffs
  with torrents running between, deep natural
  hollows, confined places, tangled thickets,
  quagmires and crevasses, should be left with all
  possible speed and not approached.
• - Sun Tzu

3
Underlying Principles

• Separation of physical and cyber security no
  longer possible
• Physical events can have cyber consequences
• Cyber events can have physical consequences
• Understanding the cyber environment is now an
  essential element of developing and maintaining
  situational control
• The nature of cyberspace means that the old
  fortress mentality is no longer viable

4
Physical Security

• Physical security critical to security of cyber
  environment essential during advance visits
• Loss of physical infrastructure can cause loss of
  cyber infrastructure
• Must consider both material and human factors

5
Impacts

• Unmonitored activity of outsiders can increase
  risk to networked systems through unauthorized
  access
• Weak security practices at IT centers increases
  risk of unauthorized access to both the facility
  and network systems
• Unmonitored employee activity significantly
  increases the insider threat.

6
Security Policies

• Does the organization have physical and cyber
  security policies?
• Have they been reviewed with respect to each
  other?
• Are the parties responsible for these policies in
  contact?
• What are the enforcement methods?

7
Specific Policy Areas of Concern

• Hiring and firing
• Outsourcing contracts
• Visitors
• Customers/sponsors
• Special events

8
Facility Controls

• Are the physical security plans for the facility
  documented and tested?
• To what degree is the physical security dependent
  on computers and information networks?
• Policies and procedures for visitors?
• Do new or renovated facilities have computer
  controlled elevators, escalators, security
  systems, or fire doors?
• Are these systems isolated or are they connected
  via the Internet to an external security provider?

9
Personnel Controls

• Background checks
• Access Logs / work patterns
• Proactive management
• Problem resolution

10
Physical Protection of Information Resources

• How is physical access to remote nodes
  controlled?
• What precautions are taken to minimize access to
  servers, cabling, routers, etc.?
• What access controls are in place?
• How are the access controls updated and managed?
• How are system components physically safeguarded?
• Are audit and monitoring records routinely
  examined for anomalies and necessary corrective
  actions? By whom?

11
Network Security

• What does the network look like?
• What is the connectivity between networks?
• Can the network be accessed from the outside?
• What encryption protocols (if any) are in use on
  the network?

12
Network Concerns

• Is redundancy built into the network?
• Are all necessary security patches in place?
• How often are security patch requirements
  reviewed?
• Are there external nodes on the network, and if
  so, are any of them wireless?
• Is the network administered on-site or at a
  remote facility?

13
Physical Protection of Personnel

• Emergencies
• Travel
• Commuting
• Environment
• Pollution
• Disease
• Assembly/communication

14
Information Protection of Physical Resources

• What information regarding the facility is
  available on the network?
• Is there information about guests, employees,
  critical functions available? (scheduling,
  credentialing, etc.)
• What access controls are in place for this
  information? (technology, procedure)
• Is sensitive or critical information protected by
  secure, offsite storage and backups?
• Is the integrity of installed software and data
  verified regularly? How?
• Are all changes to IT hardware and software
  planned, controlled, and documented?
• Is unique user identification required for all
  information system users, including third-party
  users?

15
Information Protection of Personnel

• Personally-identifying information
• Personally-threatening information
• Personally-compromising information
• Localization/schedule information

16
Personnel Protection of Information

• Training
• Awareness
• Process
• Follow-up
• Value

17
Example Impacts

• Interruption of emergency services
• 911 service off line
• Disruption of hospital networks
• Potential loss of life
• Interruption of power grid
• Disruption of services dependent on power
• Hospitals
• Hazardous material facilities
• Secure facilities
• Traffic control in chaos
• Potential financial loss enormous

18
Cascade Impacts

• Interruption of Telecommunications
• Impact on all levels of communications
• Severe impact on financial services
• Loss of communications with public impacts
  confidence in government
• Potentially serious impact on military logistics
  (over 90 percent of all logistics over private
  infrastructure)
• Interruption of Transportation
• Disruption of commerce
• Foodstuffs and fuel deliveries interrupted
• Potential hazardous material compromises
• Direct impact on population