“They think we’ll go to the ICO. We won’t!”
Criminal gangs are planting “sleepers” in cleaning companies so that they can physically access IT infrastructure, a senior police officer with responsibility for cyber crime has warned, urging businesses to bolster their physical security processes in the face of the growing threat.
Shelton Newsham, who manages the Yorkshire and Humber Regional Cyber Crime Team, told an audience at the SINET security event that he was seeing a “much larger increase in physical breaches” as cyber crime groups diversify how they attack and move laterally inside institutions.
(Recent reports suggest that cybercrime will cost firms $6 trillion annually by 2021 – making it more profitable than the global drugs trade.)
Cleaners and USB Sticks
“Exploitation of staff is a key area”, Newsham said.
“Organised crime groups are planting ‘sleepers’ in cleaning companies that a procurement team may look at bidding for. There’s no way of auditing their vetting. They’ll also using people in painting and decorating firms; anyone who has out-of-hours access to a building is fair game.
“Even the old ‘drop a USB stick’ is back.”
(Newsham was referring to the technique of lacing a USB stick with malware, dropping it in an office car park and waiting for a curious staff member to plug it in).
Badges and Biometrics
Newsham was on stage with Santander’s UK CISO/Director of Security & Privacy Services, Emma Leith, who said: “Over last few years, cyber criminals are really ramping up how organised they are. They can get through your vetting and recruitment processes to get inside your organisation (obviously this hasn’t happened to Santander!)”
Asked by Computer Business Review what steps she encourages to improve physical security, she said: “There are small steps businesses can make: we’re changing our visitor passes: until three weeks ago they were red, like our brand. Now they’re black and we encourage staff to be more suspicious of who’s walking around. Regular red teaming and purple teaming; capture the flag exercises [all help]”, biometrics too, although there’s no point having cutting edge systems running on an old Windows server.”
She added: “Culture and process are really central. In my career I’ve seen so many people under desks lifting stuff out and nobody saying ‘hello, who are you?’”
It was a point echoed by physical intrusion specialist Tim Roberts of wehackpeople.com, who told Computer Business Review in a DM: “Data mediums may change, but physically accessing said data or the threat of safety will not.
“Typically weaknesses are due to the human element and social engineering risks. You can have the most expensive access controls, but improper deployment or a poor security culture can and often is the window in (tailgating, being let in, bypassing electronic access via physical methods etc).”
He added: “Security awareness should be a culture, not just a process or annual training. Improved technology does not matter if the previous statement stands. The human elements rarely changes.”
Technical Debt/Primordial Ooze
Becky Pinkard, the CISO of Reading-based Aldermore bank, added: “This can feel like a vicious cycle. I mean we’re back to ransomware for Chrissakes. [One reason is that] technical debt is getting out of control.
“We’ve got to get back to the basics…
“Criminals are not getting smarter, they’re just taking more and more advantages of us as we accumulate criminal debt. It sometimes feels like we’re still climbing out of primordial ooze to get to where we want to do. ”
Read this: “Think ‘Evil’, But Get the Scope Crystal Clear”
She added: “Security awareness is well and good but this now boils down to collaboration, which as an industry we’re still not great at. Companies should be asking ‘where aren’t we involved that we should be?’ Then find resource, send them out and get them to report back.”
In the UK agency-level cooperation has vastly improved, as has the ability of the police to respond fast to cyber intrusions.
But it takes two to tango.
The Achilles Heel…
As Shelton Newsham (who operates as one of 12 “spokes” of the NCSC at the regional cyber crime level) told Computer Business Review on a later call: “Communication with corporations is still the Achilles heel. People aren’t proactive in coming to us when there’s been a breach. They think we’ll go to the ICO. We won’t! That’s your responsibility.”
He added: “These criminals almost have daily meetings with set objectives, and people are held responsible if these aren’t met.
“Security teams might meet up fully once a month: they’re already 30 days behind. With cyber criminals consistently pushing for access, for lateral movement, it’s very hard for CISOs to stay on top of this.
“But it’s a basic: with any procurement, is there a strict policy in place about who has access to the building? Is the policy and the service level agreement that goes along with it audited, so we can vet it? One of my teams can do an audit of that every three months.”
Business can report live cyber crime to Action Fraud, 24/7.
This goes to a central repository that police and other government agencies use to understand and respond to real-time attacks around the country.