Penetration testing has long been a vital part of many businesses’ compliance and governance efforts as a measure of proactive security, but today’s expanding cyber threat landscape means that approach is too narrow and leaves businesses open to complacency.
The changing threat landscape means companies can’t rely on the traditional method of cyber protection anymore, which focuses on protecting only a network and its assets. Complacency like this is costing Australian consumers upwards of $2 billion a year according to the 2017 Norton Cyber Security Insights report.
Forward thinking companies are going beyond penetration testing to employ a more holistic approach to cyber security. Hackers are becoming more sophisticated and are using any means possible to gain access to a company’s data. This includes targeting the physical assets of a company, such as the building itself and the employees inside.
Luckily, there are a few measures businesses can take to ensure their security protocols protect all parts of their business, not just the network.
Going beyond penetration testing to secure physical assets
Due to the increase in protection around network assets, cyber criminals have to think outside of the box to gain access to a business’ data. Hackers are taking the traditional route to gain access to an organisation - through its front doors.
The way they do this is through employing social engineering techniques such as RFID badge spoofing, tailgating or posing as an employee which will give them direct access to a building.
We’ve been employed by companies to test their security protocols by attempting to gain access to their network by any means. There are instances where we have simply walked up to a receptionist, claimed to be from the IT department and allowed access to their network. It was then simply a case of plugging in a device into the network that provided remote access into their environment.
By far the most popular and successful social engineering technique is phishing, again pretending to be an employee or a contractor of the business to ultimately gain access to network data.
This could take the form of a forged email from a CFO to the finance team approving payment of an invoice, or an fake IT contractor requesting employee passwords to gain access into a network. Emails or calls like this imply a sense of urgency, especially if it looks like the request is coming from an executive level. This is ultimately how mistakes are made.
Just recently we saw this happen to Victorian home buyers who were targeted by a phishing attack, with the hacker pretending to be the real estate agent. Over $200,000 was lost due to buyers trusting the email address of the hacker.
In Australia, we are still lacking when it comes to protecting our physical assets and educating employees of the threats they are vulnerable to. It’s still too easy for hackers to walk straight into a building and gain access to an organisation’s data, including the private information of its customers.
This essentially makes a company’s investment in cyber security prevention technologies redundant, with threat actors completely bypassing those systems.
Social engineering tactics such as tailgating, phishing and posing as an employee can all be mitigated by ensuring employees are educated on these tactics and how to identify them. Building entry systems can also be upgraded to make it even harder for threat actors to gain unauthorised access. This, coupled with frequent monitoring and testing of defense systems can help to protect and strengthen physical assets, including employees.
Strengthening cyber resilience through the use of Red Teaming
One way businesses can better prepare themselves for the threat of attack is to employ services such as Red Teaming, a strategy traditionally undertaken by military teams for the purpose of rigorously testing the effectiveness of strategy, tactics and personnel.
Cyber security teams have adopted this approach to test a company’s cyber resilience, as it looks at a company from a hacker’s perspective, rather than that of an employed I.T. professional or team. Red Teams have to do everything in their power to breach a company’s defences, whether physical or on a network, to gain access to sensitive data. This helps companies to see the holes in their defences, and aims to catch them off-guard, much like a hacker would.
To date, there has never been an organisation which has been able to defend against our Red Teams, and in some cases, we’ve even been able to walk in and simply plug a device straight into the network with little to no resistance. This is opening business’ eyes to their susceptibility to hackers and when this information hits the boardroom, the company begins to take its cyber security policies a lot more seriously.
Over-reliance on penetration testing and a lack of cyber education and physical security create a volatile environment for Australian businesses. Those that will come out on top in 2018 will be those that take a holistic approach to cyber security to ensure all aspects of their business are secure.
Article by Sense of Security COO Murray Goldschmidt.