ISC West Session Preview: Protecting Physical Security Systems From Cyber and Human Threats

Are you a system owner or practitioner concerned about cyberattacks creating and event where after its discovered that it was your area or domain was a contributing factor?

On March 18 at ISC West 2020, we will walk through the hacker’s playbook from the inception of scoping the environment to assessing where and what to attack in the SIA Education@ISC session Protecting Physical Security Systems From Cyber and Human Threats. If you’ve ever wondered about how physical security systems can be attacked, and aren’t getting enough from bullets and hardening guides, then this is the session for you.

Through the eyes of the hacker

We cannot protect against physical security system-related threats if we don’t know what they are. Similarly, people are responsible for creating or exploiting vulnerabilities so this session will begin by introducing who hackers are, their motives for attacking companies and organizations and then move into how they locate potential targets.

Hackers generally don’t go into a situation cold. Often, they initially use a process known as open source intelligence gathering (OSINT) in order to profile their target organizations. By using sources such as social media, mainstream news and street view options of map programs, they are able to analyze that data in order to determine a plethora of information on the types of physical security systems that are in place and begin researching the technical attack surfaces to be exploited in order to gain entry – either to the systems themselves, physically to the location, or worst of all both. We’ll run through real examples of discovery to illustrate how information that may generally be considered benign in isolation can be leveraged for subsequent phases.

Technology isn’t the only target

We will then discuss how technical and non-technical data can be combined in order to attack the humans behind the technology. Social engineering, or human hacking, is often used to get an employee to provide information or perform a task on behalf of the hacker. This type of attack utilizes a portion of the OSINT information to create a believable scenario that will not raise the suspicion of the target individual or group.

Putting it all together

We’ll switch over to the technology side to walk the audience through the spectrum of where physical security could be attacked, initially, subsequently, and how attackers may be benefiting from the outcome (sometimes not obvious). Once the groundwork has been laid, we will then walk through real-world attack scenarios that combine technical and non-technical attacks in a process known as attack chaining. Attack chaining is an often-misunderstood part of the process that takes a compromise of a single device to a complete environment takeover.

If this session has you eager to get your hands on some equipment and try these attacks firsthand, then you’re in luck, as part two of the session will be a hands-on hacking experience!

Attendee Learning Objectives:

  • Understand how hackers think, their motives, and methods
  • Become familiar with how public facing information can be used against your organization
  • Experience  (and participate) in live attacks to illustrate the concepts

View the full session description here. And learn more about ISC West and register to attend here.

Terry Gold is the founder of D6 Research, and Valerie Thomas is a cybersecurity professional specializing in social engineering and cyber-physical penetration testing.

The views and opinions expressed in guest posts and/or profiles are those of the authors or sources and do not necessarily reflect the official policy or position of the Security Industry Association (SIA).