Terry Gold of D6 Research has been giving “cyber in physical security” presentations at a variety of conferences, including ISC West and the Cyber:Secured Forum. We caught up with him for some insights about the intersection of cybersecurity and physical security.

Q: Tell us a little bit about your background, specifically in the context of its relevance to cyber security in physical access.

Gold: I started out in information security and then got involved in physical security along the way. I started really focusing on physical from a cyber standpoint about 10 years ago. I got into ethical hacking about 8 years ago, and then worked on putting it all together. There wasn’t a roadmap, so I had to build a methodology which I now share with other hackers, end users and law enforcement.

I spend all my time either in the lab building success models, methods, and testing them out in some of the largest customers or agencies in the world for validation and improvement. Also, a chunk of my time is spent re-engineering security assessment and controls for end users or validating vendors on their behalf from a unique viewpoint that’s not (yet) typical in the industry.

Q: How well prepared is physical security overall against cyber threats?

Gold: Not well at all. While security is imperfect anywhere, much of the practices and designs have critical defects and overlook either best practice or fundamental application security principles. I’d say that the industry is very wide open for exploitation that doesn’t take much sophistication to execute. Breach disclosure laws are focused on mandatory reporting for personally identifiable information (PII)

Q: What things stand out to you along your journey regarding the changes that you are seeing on this topic?

Gold: Culture. Over the years, the industry (and most end users) have been dismissive of my findings. Industry culture hasn’t been aligned to embrace the topic and make requisite improvements that are needed to achieve “good security.” However, I’m finally starting to see that change – quickly and at scale. It doesn’t mean that we’re close to “good,” but rather reached the inflection point of change – and I’m rather pleased about it.   

IT security threat
Breach disclosure laws has resulted in IT getting a lot of media attention in comparison to hacks made against physical security  

Q: D6 does a lot of research in this area. What is the analysis behind the recent push for cyber security in physical security?

Gold: First, it must be recognised that the threat isn’t new, but rather that the industry is only now coming to the table on it. Industry sentiment has been that breaches in physical security don’t happen or that there’s little impact.It must be recognised that the threat isn’t new, but rather that the industry is only now coming to the table on it Both are false. Mainly, IT gets all the media attention with breaches for two reasons; 1) breach disclosure laws are focused on mandatory reporting for personally identifiable information (PII), and 2) there is really poor detection (mostly non-existent) against hacks in physical security, so they go unrecognised. 

On the other side, as physical security systems increasingly resemble an IT architecture, so does their risk profile. As it expands to mobile, cloud, IOT and intelligence - InfoSec and auditors are taking a look and are alarmed at what they’re seeing. Before you know it, the scrutiny is cutting pretty deep, pressure for alignment becomes intense, and vendors feel the pinch on the sales cycles. It’s not a comfortable position for anyone.  

Q: What will be the projected impact? Are practitioners seeing the whole picture?

Gold: No, and this area is probably the most important takeaway of this interview. The industry is where InfoSec was about 15 years ago in their journey, except we have an additional headwind to deal with – culture change. This industry tends to rely more on trusted relationships than validating the recommendations are being provided. There are too many prevailing misconceptions, that unless remediated, investments won’t be as effective as expected.  

Q: What do you believe are the top misconceptions?

Gold: Well, this is a longer topic, but here’s a sampling that cuts across different areas.  

  • Regarding hackers: A misconception is that they’re generally not interested. Hackers are increasingly very interested. When I teach a workshop at a hacker conference, it’s usually the quickest to fill up and go to wait list (within a couple hours).
  • Regarding attacks: A misconception is that attacks are executed directly against the target system. Example, their goal is to get into VMS and attack it directly. The reality is that they’re more commonly dynamic where physical is part of a larger attack and its role is an easier gateway to another system (or vice versa, with many hops).
  • Regarding protective measures. The most prevalent mistake that the industry is currently making is too much focus and reliance on air-gapping networks or locking ports. This is only a slice of the attack surface and there are various ways to get around it. There’s a heavy price to pay for those that that rely too much on this strategy since its often accompanied by few mechanisms to deal with actors once they do get in (and they definitely will).
  • Regarding the value of exploiting physical security. Too often perceived as low value. In our white paper we review many of the things that hackers can do, what they gain, and how it can impact the overall organisation. It’s far broader and deeper than most.

Q: What are the top things that need to change in the industry?

Gold: First, culture. This can be answered by adopting the same principles as InfoSec. From an execution standpoint, the industry needs to change how they perform risk assessments.At D6, we’ve developed a stepwise methodology from ground up and it’s a huge difference Industry practices, including certifications, are significantly outdated and don’t reflect a methodology that accurately considers cybersecurity, actors, methods, and proactive remedy. At D6, we’ve developed a stepwise methodology from ground up and it’s a huge difference. End users that don’t re-engineer their practice, will be very limited for meaningful cybersecurity improvement. 

changes in risk assessments
One of the changes needed in the industry includes how risk assessments are performed 

Q: Generally, what advice do you give to clients on steps to move their cyber security to the next level? 

Gold: Don’t operate like a silo anymore. Transition from industry “common practices” to best practices that can be validated. Rely less on previous relationships and more toward domain competence. Collaborate with the CISO to a principled, goal-oriented and metrics-based approach. Embed an InfoSec person on the physical team. Present priorities and risks jointly to the board within an overall risk portfolio. Invite scrutiny from auditors. Get a red team performed once a year. Until you do the last step, you don’t really know where you stand (but don’t do it until the other things are done). Last, set the bar higher with vendors to support these improvements or their products will just end up being weak link. 

Q: What type of challenges do you see and any advice on how end user and integrators can overcome them? Lessons learned?

Gold: There are too many specific domains across cybersecurity – it’s not just a network security resourceFeedback I get from integrators is that they’re struggling to figure out how to deliver expertise to their clients in their area. They’re somewhat overwhelmed with the complexity, becoming an expert or how expensive it is to hire and maintain those skilled resources. My best advice is not to do either. There are too many specific domains across cybersecurity – it’s not just a network security resource. Not even the large integrators have the right bench, and unfortunately, they’re just further down a doomed path than smaller integrators. Form a partnership with boutique cybersecurity firms that have multiple specialists. Negotiate rates, margins, scope, and call on them when needed. It won’t come out of your bottom line, the results will be better, and the risk will be extremely low. You’ll learn along the way too. 

Q: Anything notable that your research is uncovering in this area that might not be on people’s radar yet?

Gold: Yes, quite a bit. Our Annual Industry Assessment Report goes through every segment. We’re making pretty bold statements about the future and impact, but we’re confident. One thing that stands out is how intelligence (and the swath of subsets) will impose stringent demands on physical security due to attribute and data collection (for analysis) which will absolutely require privacy compliance, integrity, and controls. It will even shape organisations that might not care about cybersecurity but are prioritising function.

Q: Where can readers learn more about your perspectives on this topic?

Gold: Blogs on the D6research.com website. Our annual report. Val Thomas of Securicon and D6 have collaborated on a three-part cybersecurity in physical white paper series. It goes into all of this in detail, as well as remedy.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

In case you missed it

How has Brexit affected the security industry?
How has Brexit affected the security industry?

When the United Kingdom voted to leave the European Union, a world of uncertainty unfolded for those doing business in the UK and the EU. The referendum was passed in July 2016. Including subsequent delays, the separation was completed after four years in January 2020, with a transition period ending December 2020. Even with the deadlines past, there are still pockets of uncertainty stemming from the separation. We asked this week’s Expert Panel Roundtable: How has Brexit affected the security industry?

Hybrid working and the threat of desk data
Hybrid working and the threat of desk data

The transition to remote working has been a revelation for many traditional office staff, yet concerns over data security risks are rising. Mark Harper of HSM explains why businesses and their remote workers must remain vigilant when it comes to physical document security in homes. Pre-pandemic, home offices were often that neglected room in people’s homes. But now things are different. After the initial lockdown in 2020, 46.6% of UK workers did some work at home with 86% of those doing so because of the pandemic. Semi-permanent workspaces Since then, many have found that over time, those semi-permanent workspaces have become slightly more permanent – with official hybrid working coming into effect for an assortment of businesses and their teams. The adoption of hybrid working can in fact be seen as one of the few positives to come from the pandemic, with less travel, more freedom and higher productivity top of the benefits list for businesses and their employees. The handling of sensitive documents, is a growing concern for office managers But those welcomed benefits don’t tell the whole story. The transition to remote working has undoubtedly impacted workplace security, with various touch points at risk. The handling of sensitive documents for example, is a growing concern for office managers. In simpler times, sensitive data was more or less contained in an office space, but with millions of home setups to now think about, how can businesses and their office managers control the issue of desk data? Physical document security As of January 2021, it’s said that one in three UK workers are based exclusively at home. That’s millions of individuals from a variety of sectors, all of which must continue in their efforts to remain data secure. With that, reports of cyber security fears are consistently making the news but that shouldn’t be the sole focus. There is also the underlying, but growing, issue of physical document security. The move to remote working hasn’t removed these physical forms of data – think hard drives, USBs and paper based documentation. A recent surge in demand for home printers for example, only exemplifies the use of physical documents and the potential security issues home offices are facing. Adding to that, research conducted in 2020 found that two out of three employees who printed documents at home admitted to binning those documents both in and outside of their house without shredding them. Data security concern Without the right equipment, policies and guidance, businesses are sure to be at risk Those findings present a huge data security concern, one that must be fixed immediately. The Information Commissioner’s Office (ICO) has since released guidance for those working from their bedrooms and dining tables. Designed to help overcome these challenges, the ‘security checklists’ and ‘top tips’ should be the first port of call for many. Yet throughout, the ICO make reference to ‘following your organisation’s policies and guidance’ – highlighting that the onus isn’t solely on the individuals working from their makeshift offices. Office managers have a monumental task on their hands to ensure teams are well equipped within their home setups. Without the right equipment, policies and guidance, businesses are sure to be at risk. But it would be wrong to insinuate that unsecure desk data has only now become an issue for organisations. Modern office spaces Keeping clear desks has long been a battle for many office managers. In fact, clear desk policies are practised in most modern office spaces, with it recognised as a key preventative to personal information being wrongly accessed and so falling foul of GDPR legislation. Throwing sensitive documents in the bin was never an option pre-pandemic However, the unsupervised aspect of home working has led to a potentially more lax approach to these policies, or in some cases, they can’t be followed at all. For those taking a more laid back approach, organisation leaders must remind staff of their data security responsibilities and why clear desk policies have previously proven effective. Ultimately, throwing sensitive documents in the bin was never an option pre-pandemic and this must be carried through to home workspaces now. Securely destroy documents There are also concerns over the equipment people have access to at home. For example, without a reliable home shredding solution, data security suddenly becomes a tougher task. To add to that, several recommendations state that employees working from home should avoid throwing documents away by instead transporting them to the office for shredding once lockdown rules ease. While this is an option, it does pose further issues, with document security at risk of accidental loss or even theft throughout the transportation period, not to mention the time spent in storage. The best and most effective way to securely destroy documents is at the source, especially in environments where higher levels of personal data is regularly handled. Correct shredding equipment The recent findings on home office behaviour represent a true security risk Only when home workers implement their own clear desk policies alongside the correct shredding equipment (at the correct security level), can both home office spaces and regular offices become data secure. Realistically, these solutions should, like the common home printer, become a staple in home office spaces moving forward. The likelihood is that many UK workers will remain in their home offices for the foreseeable future, only to emerge as hybrid workers post-pandemic. And while the current working environment is more ideal for some than others, the recent findings on home office behaviour represent a true security risk to organisations. With this in mind, it’s now more key than ever for business leaders, their office managers and homeworkers to all step up and get a handle on home data security policies (as well as maintaining their standards back at the office) – starting with the implementation of clear desk policies. After all, a clear desk equals a clear mind.

Video intercoms for a smarter, safer workspace
Video intercoms for a smarter, safer workspace

Though many office workers across the globe have found themselves working remotely for the past year, we are seeing a bit of a silver lining, as vaccine rollouts hint at a return to some pre-pandemic sense of normalcy. However, while some of us might opt for a fully-remote work life, others are anticipating a hybrid solution. Even before the pandemic, offices were taking a new, more open layout approach—moving past the days of cubicles and small office configurations. Going forward, offices and other workspaces will be tasked with supporting a hybrid work solution, as well as increasing hygiene measures. Video intercom solution This is where an IP video intercom solution can assist. Below are four ways they can help usher in a smarter, safer work environment: Video intercoms assist in creating a more hygienic work environment - The outbreak of COVID-19 has raised awareness of germs and just how easily a virus can be transmitted by face-to-face contact. Germ barriers are popping up in many aspects of our daily lives, where we were not likely to see them before Unfortunately, the door is also the easiest of these germ barriers to breach As such, we’re becoming accustomed to seeing plexiglass barriers at restaurants, grocery stores, and even coffee shops. However, many don’t realise that one of the best germ barriers is a simple door. Unfortunately, the door is also the easiest of these germ barriers to breach. All it takes is a knock or a doorbell ring to make us open our germ barrier and be face-to-face with whomever is on the other side. Increasing hygiene safety A simple step to increase hygiene safety and visitor security in commercial buildings and workspaces is an IP video intercom. Installing a video intercom will allow staff to see and speak with visitors without breaching that all-important germ barrier. A video intercom system provides a first line of defence, enabling the user to visually confirm the identity of the person on the other side of the door first before granting access. It can also be used to make sure proper procedures are being followed before a person is allowed to enter, such as using hand sanitiser, wearing a mask, and following social distancing guidelines. Basic security needs A major topic of conversation the past year has been how to manage occupancy in all facilities Video intercoms for occupancy management and basic security - A major topic of conversation the past year has been how to manage occupancy in all facilities—ranging from grocery stores and retail shops to restaurants and commercial buildings. Workspaces and offices are no exception. A video intercom provides a quick and convenient method of seeing who, or what, is on the unsecure side of the door before opening. For basic security needs, if a business has a door opening into an alley, a video intercom would be used to ensure no one is waiting outside to force their way in when the door is opened. Personal protection equipment Such solutions can also be used to ensure a person is carrying proper credentials, or wearing proper personal protection equipment (PPE), before entering a sensitive area. For example, if a lab has a room which can only be accessed by two persons at a time wearing specific protective gear, a video intercom could ensure each person is properly equipped, before allowing access that particular room. Additionally, for office or workspaces that have shared common areas, such as a cafeteria, gym or even conference rooms, managing access to these spaces will remain a priority, especially with post-pandemic restrictions in place. Video intercoms are a comprehensive safety and security tool for any workspace Deliveries of packages, work-related materials, or even food are common in any office or workspace. Video intercoms can assist in facilitating safe deliveries by visually and audibly confirming the identity of the individual. The visitor could be your next big client, your lunch delivery, a fellow employee with a faulty access card, or your mail. Video intercoms are a comprehensive safety and security tool for any workspace. Visitor management systems Video intercoms provide a cost-effective solution in small to mid-sized office facilities - One significant advantage of video intercom systems is the variety of applications available. Systems range from simple one-to-one video intercoms, to buzz-in systems, to full-fledged visitor management systems in mixed-use buildings. While they might lack the resources and manpower many enterprises have, small-to medium-sized offices can also take steps to ensure the safety of their staff and customers. Like any business, controlling who comes into the building is a primary way of maintaining safety. Video intercoms work in conjunction with access control systems to provide an identifying view of visitors or employees with lost or missing credentials. They allow staff to both see and hear those on the unsecured side of the door to determine intent before granting access. Most quality video intercoms will provide a clear enough image to allow an identification card to be read by holding it close to the lens, adding another opportunity to verify identity. Touchless intercom activation One major trend is the option of providing a touchless door activation Video intercoms provide a touchless option - Even prior to COVID-19, one major trend is the option of providing a touchless door activation or touchless intercom activation of a video intercom for those without proper credentials. Though touchless isn’t a new solution to the access control market, the pandemic introduced a renewed focus on these types of solutions to provide hygienic access to visitors. For offices and other workspaces looking to make investments into post-pandemic solutions to assist in reopening, touchless can support these efforts. When it comes to smart, secure workspaces, many people think instantly of cameras or monitors, access control, and alarm systems. Proper access credentials However, video intercoms are often the missing piece of a building’s security puzzle. A video intercom provides an identifying view that is not always available from a camera covering a large area. They allow those without proper access credentials a method of requesting entry, and just like cameras, they can be activated by alarms to allow staff to clearly see and communicate. If a workspace or office is important enough to be secure, it’s important enough to be sure of who is there before the door is opened. In 2021, it’s not enough to ensure the physical security of your staff and visitors, but also to ensure they are accessing a hygienic environment. Video intercoms provide that security and peace of mind.