Physical Security Is Not Just a Line Item? - Chris Lincoln

is now uh there it um it has less security than it would normally have you don't necessarily have locks you have going in and out um you have uh in our case we have material that is lying out that is that people would love to to steal because it's construction material and then I can go and take that over to best metals and and sell it so whenever there's a there's a new site then we add in a little bit of extra security same sort of thing when we're starting up C security sites you're you're throwing it out out on the internet somebody gets in into your staging site or or something like that you know make sure you're you've got

monitoring turned on before you throw things out there or at least at the same time as you you throw things out there so you understand what's happening to those um um site specific security plans so this is something again with with physical security that every time there there is a site that that comes up everything is is unique and we have certain uh policies and ways that we go about doing things as standard but every site is going to be a little bit different and uh so because the threats of it going be different it's built in a different way so we need to to um develop a site specific security plan um so you understand that again with with

cyber security understand what's different about this thing that you're putting out there is it um making calls to some other system that uh that you've never looked at before um why are we working with South Korea on this is that okay um things like that um and what holes do we need to to open up who do we need to trust in order to to get this thing to work uh our information is now going to Romania is that okay all sorts of things um and so and then going in and checking on it every now and then once it's it's up because you want to make sure that whatever it is you have in place is

still working later on um and working as designed right so it comes back to S penetration testing and things like that ongoing reviews um so this is going for monitoring um anyone best time to stop a bone threat any ideas there it's during the reconnaissance phase right obviously it's before the B happens but during the reconnaissance phace you look for people who are scoping out the site uh preparing to develop a plan to attack they're they're looking they're at at Behavior patterns they're trying to scope out weaknesses again physical physical security um principles you can use in a uh cyber security format make sure sure you're looking at what sort what's probing your networks what is it that they're doing

honeypots are great for this to uh together what if what if somebody were to get one of um My Control Systems what they want to be doing um and then yeah so uh then also understanding you're threat actors right um so I listen to a lot of security podcasts and and there are some people who who I like who are very snarky about things but um uh they work mostly in open source and they say things like uh if uh if nation states are part of your threat model then you're doing it wrong well it's critical infrastructure nation states are part of my threat model uh so that's always fun um so that's that's really an

understanding of the the difference between the opportunists and the nation states so for the opportunists the idea is is you get your your base level stuff that everybody should be doing done and solid and then you start working on specific techniques uh that are say targeting your sector your type of of business and uh I want to share a little bit slide here that I used to use as a consultant the difference between opportunists and targeted attacks um I always I thought this you know you know the difference between cats and dogs it's just uh uh describes it very well and I R set my phone up this time I told that I didn't do it myself s

um so other things vehicle inspections so what are people coming in and uh what are people bringing in what are they taking outs um and here it depends on on your level of of comfort but you can see that that this might have an analogy with things like day loss prevention and buod so you've got somebody who's bringing something onto your network are you comfortable with that thing being on on your network also when they leave I've I've seen Consultants who are uh they're joining consultant companies they're using their own laptops and then when they leave what are they using they're still using their own laptops where is all that data it's on their laptop how do you when they when they

leave how do you make sure that all your customer data is safe it's on their laptop so is that a risk that you're willing to take in your in your company maybe it is it's not M um so yeah and you could do things like bag inspections if you were really conc concerned um about people taking things in and out again it depends on your your level of security and your level your level of tolerance for these sort of things um and uh what you consider your risks understanding what your what Your threat model is um yeah we talked a little bit about um site integrity and inspections but yeah don't rely on EV to

catch anything there's a lot going on I think we heard a lot of uh of that um earlier today in some of the talks UPS um but then also understanding that your it operations department is is going to say we we we know these things and we can patch and monitor these things and there are other things that we don't have time to pay attention to those are where a lot of your Rabil going to come from because people aren't paying attention to those things but they're there um people who are in the education sector uh I know are fighting this all the time because we've got professors who just want to stand up anything

anywhere and and uh sess friends who are here I think probably upstairs with students okay B um but yeah it it's it is very common um in in universities and been I'm sure you've seen that as well enemies the walls yes the enemies are inside the walls um so yeah have have different networks and say okay you want to do a freefor all you're over there separate from everything else that I care about um and then you know make sure that that that stuff is is protected research information things like that uh which is a whole separate talk that so executive protection now there's there's something that that from a physical security perspective you're thinking about um

where your executives are going and and sort of uh if if there's going to be assassinations um or uh or somebody is going to potentially elicit information from them as they they travel to certain places um but uh but as they go they're they're taking devices all the time so are you okay with that are you okay with um are you okay with someone going to the US with uh with an iPad are you okay with them taking a laptop to uh to Venezuela um different different threat models different uh different envir um and maybe you are um and but uh generally what I what we recommend there is that if it if someone is traveling to

a high-risk area first of all know about it make sure you know about it make sure that the executives know that you should know about it uh and that they're going in with clean devices and then when they come back they can use the regular devices uh you can inspect the the travel devices for uh malware if you're good enough um but uh but sit down with them and make sure they understand what your policies are here's how we want you to use this this device um I also give them a safety briefing as well um to to say here the here are the risks that that you have you're the numbers that you should call in case you get trouble um

and then um and then if you're you're really good you can learn from your physical security genam and do Post travel deef and determine if anybody was able to get some information out of them uh that's a little bit more difficult for us inide Street when I used to deal with people deal with keyboard um but uh but yeah if you are able to to get information about who who had what conversations with who where did they go then then you can find out a lot of information finding them in some of my peers that um that there's there's some things that um uh I don't we have CLE clearance in this room to talk about but um there's

there's certainly foreign interference going on um so yeah fraud detection uh things like that you can think about this in terms of of uh product security so um how do you know if someone is stealing from you um if you're dealing with a retail store it's pretty easy because the inventory didn't line up at the end of end of the night or or monthly inventory or however often you do that but um if you're if you're having a service um like Adobe before they went to the the subscription how did they know how many people were stealing Photoshop they know everybody was doing it but probably weren't able to modify it um so do what you can to try to to

understand that based on the product service that you want Personnel security how much do you trust people um and when do you give them access to things um so before this this went in the uh the incident with no before hiring the North Korean hacker um wasn't a thing yet but um is anybody not familiar with that conversation okay all right so uh no before is a security awareness company and they hired remotely a uh a person who had um used uh they had impersonated someone from the US uh who was going to be working for them sent over um s over at the do picture um got them sent up on the network and as

soon as the the computer came on the network then then they noted that uh that all of a sudden it was starting to uh to set up remote connections from North Korea downloading malware uh and preparing to to infiltrate and uh the network and exfiltrate all sorts of of things from for systems um they were able to catch it pretty quickly but um the idea there is that they didn't really do enough in terms of background checks um if you are interested in this sort of thing or involved or responsible for this sort of thing I recommend that you look that up on no's blog it's know as in I know and you know be the number

four the North Korean hacker uh and the first thing that should come up will be their blog where they talk about what went on and what they they would have done differently or what they're they're currently doing differently uh because they changed things around what they learned from it what what we can learn from it as well um there are other other things like uh certain certain institutions are no longer allowing um remote interviews uh for jobs anym it's all it's all um to be done on person because you notice that more and more people are are their eyes will go off screen as they're watching chat gbt or or whatever give them the best answer

to that question and then they're they're answering that so then once you hire them they actually know anything because check GPT got them hired so there's that um Insider threat program there's a lot of stuff here um that goes on that if you you want to you want to bring in feeds from from uh all sorts of different systems within the organization we want to know when people are are coming on site going off site when they're they're logging on to certain things there's again there's there's more than just systems but there's there's a lot of things that the security guards are going to see that you're not necessarily going to see and so you want to make sure that you're

you're talking with them to say hey we have this uh this near Miss they and get their trust and then they'll start talking to you about this near miss and that and sometimes that can turn into a conversation to say oh well you know what we had something else around the same time let's look into that together and see if that's that's something that warrants deeper investigation um that once you start that up then that can turn into your Insider risk management program um and there are all sorts of of um good resources for that uh that if you're interested in that I can hit me up later tell you about that um but yeah

internal sharing of threat intelligence is key to make sure that that happens contractor and visitor visitor management you look at um a lot of the uh different cyber security Frameworks we'll see that it's got a badge checking in checking out there there's things like that but um do your contractors have always on access into your systems can they get into is there anybody monitoring their access uh when they're in there are you comfortable with them accessing what they are accessing uh and not this is is necessarily done in a controlled manner you have um some a reg a user who is able to assign access to someone else now you have people coming in who you

may not necessarily know about are you okay with that time to to start inventorying some of that and and uh figuring out what you can do to um to initially shut that down or filter it or have some sort of process in place so that everybody who is coming in um digitally has uh has been vetted uh for that because you know there they're coming in and essentially getting the same access or potentially even even um uh greater access than some of your employees um so uh infosec is considered sep by physical security what SCP is that the S fans somebody else's problem means I don't know anything about that I hope I I don't understand

it and I hope that somebody is is doing something about it I trust that you're doing something about it because I really don't understand it and when you need something for me you're going to tell me that sort of attitude well cyber security has the same sort of thing related to physical too so again it's why you need to talk with them make sure they understand what you're doing and because you both have that mandate to protect the organization just in different Realms and again there is a lot of overlap you have no data security you just going to put your data center out in um in a publicly accessible area no so um you need to make sure that that

you're talking with them and that you're sharing information and sharing that that thre um so yeah that another thing paper assets is um we often think about um all of our information being digital but it's uh it's not how am I doing on time guys got 25 15 minutes left 15 yeah thank you okay um all right so uh yeah new technology so this is something where uh very often our our physical security team will go off to consultants and they'll hear AI this AI that and they don't know what it is they don't understand what technology can do for them um and there are a lot uh there are a lot of things that can be

done that they don't necessarily understand but could really make their jobs easier uh and so what I recommend is that you talk with them about data anal getting somebody who understands it uh in working with the physical security system getting your your company to get somebody who with the data analyst uh will greatly help them especially if you have a lot of different sites um and uh and then once you do get onboarded to to some um particular system they often have uh user groups where they will share information between them uh so that they can um they can work through problems um you're using X physical access control system how you have it integrated with your systems what do you

do when when uh when somebody leaves the company um do you have to manually shut them off is that automated physical security teams aren't thinking in in terms of automation a lot they're really thinking in terms of of uh sort of detection in terms of cameras and motion detection things like that Beyond that not so much they're not really sure what they can do with things and you can help them better with that if you understand what it is that they're doing more um so another thing monitoring system the shared operational monitoring systems there are sometimes um departments within your organization that can benefit from um from the data that you are collecting or the systems that you put

in place one example of of this for us is that we've we've been looking into camera systems that will uh report if somebody is not wearing um PP personal protective equipment so if you're not wearing a heart hat hiis jacket and um generally the boots you can't tell so much on camera but if if you could have systems ai ai relats to systems or AI embedded uh camera systems that can detect that say within this area people need to wearing that and so if somebody is in there that is either our people who uh have a violation of the PPE policy or much more likely it's not one of our people illegally in one of our areas um

so physical security is interested in the latter and former health and safety is is interested in um because you've got people in there who who are violating policy and now need to sit down and say why were you in there without heart hat gloves highways whatever because again everybody goes on tonight so take a little break um yeah there is no information security without physical security if we talk about it all the time you'll find it even on Microsoft pages that if somebody has physical access to your computer it's not your computer so whether that's your end points your servers whatever just assume that they can they can get it into whatever but uh again you know we're thinking about

about protecting the digital assets but again life then the operation of the company making sure that you can actually pay your people uh because cut off payroll and and see how how quickly loyalty to the company changes um that that'll happen very quickly so also from an information security perspective know your crown jewels protect your pay system um you have a personal interest in it um so yeah other things um uh the the 5Ds I talked about in in terms of of different strategies that they use talk to your physical teams about this ask them about sied ask them about the the um 5DS so cped is is um I'm forgetting the acronym uh but it

is um it's protection through environmental design so what that means is is designing systems so that people flow through a certain area that you want them to go through um people who are probably shooting game g s understand um the the concept of killone or whatever so you want people to come in through a certain area um but if you're designing a building you want people to come through a certain area where you can then Focus your monitor more um and make it so that they can't enter through other certain areas that you don't have to spend as much money this is this is not just cameras it's it's placing bushes and ballards and things like that uh in place again when

you're designing Network systems you can learn from this sort of thing to make sure that you understand all the pathways that people can get in and you're designing them to come in the way that they want to then of course testing to make sure that they can't get in other ways you weren't um upstairs so um yeah get to go know your physical security team um and yeah my experience with with both is that neither cyber security people nor uh physical security people rate communicators um we're uh on this side we're a bunch of inters right we we don't we're not really comfortable with um having some hard conversations uh sometimes um and uh and often it's

difficult for us to to take a very technical discussion and explain to somebody who is not very technical but they have the person expence so trying to figure out how to get somebody to do something they don't want to do is also a very important part of of security because we're trying to get people to change all the time might change but um figuring out how you can do that on your soft skills very important um and and with physical security you're there is a lot of common language and a lot of common Concepts and the more that you talk I think the more that you will be able to understand each other um but understand that you have

different focuses uh so try to understand their language their way of thinking and that will help you to to spark some things that can that can help you to be better on your side and also if you do have somebody who is is a good communic help them to to figure things out but uh but yeah um physical security people are generally not pulling their punches when they're telling you what bandia um so uh that's that's usually not very popular with management if you are in good with management you can help them to tailor that message that was precisely the problem that I was dealing with with the uh the manager who um had come in he was he was telling people

things that they needed to hear in ways that they didn't want to hear um but yes they do even here uh like the old uh Calvin Hobs com comic where he's he's sitting at at a bench selling Swift kicks in the butt for a dollar each and uh and Hobs asked how's business going he say it's terrible everybody I know needs one and then we talked about joint cooperation for inside so if you are starting like inside programs make sure that they are involved um so please talk to them okay they don't understand technology help them understand what it is that that um that technology can do for them they don't know how to ask they don't know who to

ask they very often don't even know that technology is there to help them uh because physical security as a field has not evolved very much in hundreds of years uh whereas cyber security well you know it's it's still very new um and so we are used to a lot of change a lot of new things and and something that that comes in here's a better way of of doing things I got to learn how to do that now physical Spirit Kings for the most part don't have that constant change and don't understand how the the world is moving on and they not catching up so talk with them see see if if you can help them with that um and yeah you have

the same goals you're there to protect the company you're there to protect the people you're there to protect the company's assets in different ways but um see what you can do here pax's physical access control system there um and very often they don't know how to secure those systems also almost every physic access control system that I have seen as the default login so change that just have a look most Auditors don't even look at that you didn't yesterday but that's fine I know it's a problem he's going to tell me it's a problem so we're getting rid of that thing um so yeah uh and yeah thre intelligence streets so other things local communities that I support because this

is this is what I thr up on the the ad seon screen um besides here we are back in November 2024 thanks for coming back um Freddy SEC uh so Freddy SEC um I did explain a lot of it there you'll get a little bit of a taste of it tonight um it's generally second Wednesdays I announce it on uh on email if you want to get on on spam Canon I will add you with that uh let me know what your address is for that otherwise I post it on Twitter and mcon um and I may pull off Twitter at some point because now you need to log in to be able to see anything which

drives me nuts so I may be more to mass it on or something else if somebody got a better IDE um so there's that then there's also the Atlantic cyber security Collective also known as the Discord um which if you want to sign up for that that is that QR code there um I'm sure that there are a lot of people here uh on the Discord and I have no idea who you are because you all have handles but that's fine uh that's amazing we can all be snarky and not have each other later on um so yeah that's uh that's it thank you for for uh spending some time with me and I'll open up for questions

[Applause]

yes

my husb Works field as can people conly andain

and something else that we were talking about that I didn't really get into is that um we got Transformers in our substations yeah and we have cameras in there to see if anybody's getting in most of the time you're not seeing much then our asset management people said hey can we maybe get something from those cameras to detect if they're running and we need to go in and do something those that's another area where you say the same feed this team can use it that team can use it that team can use it and so that then helps say good we'll go ahead and do this maybe contribute some budget to that knowing that you going to be consumer

that as well um because maybe we can get more than just we want we can we can then upgrade to to something that that you can we may of it because things like that can someone else reuse the information have and use it in

yes in terms of that uh especially if you can come in with predictive data to say if we put this in then it's going to um to reduce expenditures by this point because um we're doing uh preventative maintenance that we would have been able to um we wouldn't have been able to uh understand we needed through other means so yeah excellent any else all right that's time then thank you and uh we'll be back here in 15 minutes for Peter who's preventing you from leaving the [Laughter] room he'll be checking ID at the door uh but yeah go ahead and take a break um get some liquid get some snacks uh some people