Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

 

Episode #63 - Physical Security Controls for Data Protection & Compliance

This week, the guys discuss physical security controls (and lasers) to ensure that your organization is both secure and compliant! Cybersecurity doesn't stop at technology implementation. If you follow NIST 800-171, CMMC, PCI-DSS, or a number of other compliance requirements, you'll need physical security consulting to help secure your premises to protect systems and data. Hear what the guys have to say about implementing effective physical security controls.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com
Be sure to rate the podcast, leave us a review, and subscribe!

ANONYMOUS HACKED A SWISS-BASED CHOCOLATE FACTORY

Bugs in Wyze Cams Could Let Attackers Takeover Devices and Access Video Feeds

Okta Says It Goofed in Handling the Lapsus$ Attack

LAPSUS$ HACKING CREW CLAIMS ANOTHER SIZABLE VICTIM

'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks

Microsoft Exchange Targeted for IcedID Reply-Chain Hijacking Attacks

IceID trojan Delivered via Hijacked Email Threads, Compromised MS Exchange Servers

Critical Sophos Firewall Vulnerability Allows Remote Code Execution
Mars Stealer Malware Pushed via Google Ads and Phishing Emails
CISA adds Chrome, Redis bugs to the Known Exploited Vulnerabilities Catalog

Windows 11 KB5011563 Update Fixes SMB, DirectX Blue Screens
Google Chrome Bug Actively Exploited as Zero-Day

FBI Asks Congress for More Money, People and Authorities to Match Cyber Threats

Honda's Keyless Access Bug Could Let Thieves Remotely Unlock and Start Vehicles


10103417-small

Send Us Your Questions & Rants!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly embellished truths
about corporate cyber security programs we're ranting we're raving and we're
telling you the stuff that nobody talks about on their fancy website and trade show giveaways all to protect you from
cyber criminals and now here's your hosts mike rotondo zach fuller and lauro
chavez welcome to the cyber ants podcast this is your co-host zach fuller joined
by mike rotondo and laura chavez and today we are talking about physical security
and physical security as it relates to cyber security data protection and
especially compliance how do you make your environment compliance with the physical security
controls that are required across multiple frameworks but before we dive into that
mike have anything for april fool's day uh nothing for april fool's day but i do
have kind of an easter related our news story announcement hacked the swiss-based chocolate factory just in
time for easter nestle is in one of is one of the companies that are still operating in russia after the invasion an anonymous first threatened the
company then hacked it today the group of activists announced to have hacked nestle and make 10 gigabytes of
sensitive data including company emails passwords and data related to business customers at the time of the writing the
group only leaked a sample of the data staying more than 50 000 nestle business customers uh and they received no nestle
crunch bars so i thought it was gonna say they changed the recipe forever and it'll never be the same it'll never be
the same i wonder what corruption and dirty laundry is going inside the chocolate factory you know you never
know man no we all saw willy wonka yeah those oop olympus man let me tell you bugs and
wise cams could lead let attackers take over devices and access speed video feeds talk about physical security uh
three security vulnerabilities have been disclosed in the popular wisecam devices that grant malicious actors the ability
to execute arbitrary code and access camera feeds as well as unauthorized ability read sd cards the latter of
which remained unresolved for nearly three years after the initial discovery the security flaws relate to an
authentication bypass cve 2019-9564 remote code execution bug
stemming from a stack based buffer overflow which is cve 2019 12 266 and a
case of one off unauthenticated access to the contents of the sd card no cve successful exploitation of the bypass
vulnerability could allow an outsider attacker to fully control the device including disabling recording to the sd
card and turning on off the camera not to mention chaining it with sv cbe 2019 12 266 to
view and view the live audio and video feeds collapses we've all seen this in the news at least i hope you have has
been busy octa says it's goofed in handling the lapses attack on friday october the authentication firm admitted
that it made a mistake in handling the recently revealed lapses attack the mistake trusting that a service provider
had told octa everything it needed to know about the unsuccessful account takeover at one of its service providers
and that the attackers wouldn't reach their tentacles back to dragon octa or its customers the company has already
identified and contacted 366 potentially affected customers active service itself has not been breached someone came out
and said don't change the password on octa because you're unless you're one of the 366 i'm going to come out and say just change your password just to be
safe elapses hacking crew claims another sizeable victim the lapses data extortion gang announced
their return on telegram after a week-long vacation leaking what they claim is data from a software services
company globins we are officially back from vacation to group wrote on the telegram channel
posting images of extracted data and credentials belong to the company's devops infrastructure although british
law enforcement has handcuffed several members of the lab's assassin group the gang has maintained its hacking
momentum and continues racking up high profiling the group published seven gigabyte data packet onto the torrent
websites earlier this week probably stolen from global servers that has been deep legitimate so there's a couple stories on that one gotta go with the
purple fox purple fox hackers spotted using new variant of fatal rats in recent malware attacks uh the operators
of the purple fox mall rat have retooled their malware arsenal with a new variant of remote access trojan called fatal
wrath while also simultaneously upgrading their evasion mechanism to bypass security software
user machines are targeted by our trojan eye software package masquerading as legitimate application installers
according to trend micro the installers are actively distributed online to trick users to increase the overall botnet
infrastructure keynote don't read the word fatal rat without your glasses on because you're coming out with something completely different
microsoft exchange targeted for iced id reply chain hijacking attacks and ice id
trojan delivered via hijack email threads compromised ms exchange servers threat actor is exploiting vulnerable
on-prem microsoft exchange servers using hijack email threads deliver the ice id
which is bakbad a modular banking trojan first spotted back in 2017. it's used mainly to deploy second stage malware
such as other loaders or ransomware the trojan without triggering email security solutions the distribution of the
eyesight malware uh so long story short they've they've figured out how to evade uh email protections the primary method
of conversation hijacking attack is to assume control key email account participate in discussion with the
target and then send the phishing message crap to be appear as continuation of the thread the payload
is also moved away from using office documents to the use of iso files with a windows on lnk file and a dll file the
use of iso files allows the threat actor to bypass the mark of the web controls resulting in execution of the malware
without warning to the user noted by entersizer researchers we've all gotten those emails that start up that have the
subject line of our er conversation uh from someone trying to sell you something uh some of the software
vendors you never know what those really are there's a couple of important headlines out there critical surface firewall vulnerabilities out there
there's a mars steeler malware pushed by google ads added chrome redis bugs to known
exploited vulnerabilities catalog there's windows 11 updates there's a zero day for google chrome
the fbi is asking for more money people and authorities to match cyber threats and lastly honda's keyless axis bug let
thieves remotely unlock and start vehicles so with that laura what do we got for exploits thanks mike good headlines there um purple fox throwing
fatal rats this is probably one of my favorites um for this month so just you know okay well got one exploit to talk
about this week and i think it's probably the only one we should be talking about and that is spring for
shell everybody out there who knows about this is probably already upgraded but just so that you know march
31st spring has confirmed the zero day vulnerability and has released spring framework versions five three one eight
and five to twenty to address it uh the vulnerability affects essentially spring mvc and spring web flux applications
running on that java development kit nine and up okay so the cbe related to this is 20 22
22 965 okay so this is brand new breaking just like
the log force shell this is you know spring is is core framework and a lot of web applications
i'm curious to see if struts for shell is going to be the next thing what makes this dangerous is that so so
rapid seven has put together a tool called t cell that will detect exploitation attempts
based on what publicly available payloads that we've got today and that's really what i want to point out here is
we've got publicly available payloads so a couple teams did some pocs um there was an initial chinese
researcher that did a poc and then retracted it off of github since then many other authors have
published working pocs for spring for shell including bob the shoplifter
yeah bob the shoplifter he's posting all kinds of crazy stuff uh these days and spring for show proof of concept is one
of those so make sure that you are upgrading your frameworks and getting off of those older versions remember you
need to be um you need to be on five three eighteen and five to twenty okay so so if you if
you've got any web apps or any core frameworks using spring get off of that and uh i'm gonna make a prediction here
struts for shell coming soon to a theater near you i always thought bob was a builder not a not a shopkin
bob bob yeah i was gonna say he's he's building plans for shoplifting gotcha it
makes sense well i'm i'm wondering so spring is that is that spring is in a coil spring or a leaf spring or is that
spring is in the season but then you brought up struts and so now i'm thinking automotive parts yeah exactly
you know i think i think they both are reminiscent of an automotive industry of past but yeah spring and struts you know
not only do they provide suspension um articulation but they also provide
core functions for web applications outstanding bob the shoplifters going through the auto zones and o'reilly's
the world and ripping them off yeah yeah yeah i know bob bob the shoplifter is dropping shell
pocs is what bob the shoplifter is doing right so yeah there are a lot of other authors
out there on github that have that have dropped i think there's about 14 now total that have dropped clonish
poc exploits for various various packages for this spring spring for
shells pretty serious business yeah a lot of a lot of people pulling their hair out right now with this yeah
i know right after log for shell two so yeah that it's really kind of a kick to the teeth but that's cyber
a lot of people working over the weekend this weekend but uh yeah sorry if that's you but thanks for listening to the
podcast so you can listen to the back podcast while you're working this way yeah i was going to say while you're while you're trying to upgrade all your
spring your spring applications um you can listen to this you can listen to this
rant in the background yeah and i mean we have what i don't know 50 some podcasts
maybe we're up to 60 now and i mean they're all world class so world class i would start from the beginning and start
from the beginning and go through one by one one of the other things i really want to do too just so that everybody knows i'm gonna start talking really
really fast like this because i noticed that everybody who's listening to the podcast tend to listen on two and a half times speed so they can get through a
lot quicker so i wonder what i'm sounding like right now because i'm talking trying to talk two and a half times speed at regular time speed get
the um the auctioneer voice going i don't know if i could talk that fast
well hey let's uh let's talk about physical security as it relates to data protection and
compliance you know and you can't talk about physical security without bringing up chuck norris and unfortunately we're
not all lucky enough to have chuck norris guarding our server rooms or
office buildings or anything like that so short of that how could you create
a chuck norris-like effect by implementing proper security controls in your environment and so i want to dive
down that path today i want to talk about what is involved what you should be doing how to prioritize those things
all that good stuff right after a quick commercial break want even more cyber ants be sure to subscribe to the cyber
rants podcast get your copy of our best-selling book cyber rants on amazon
today this podcast is brought to you by silent sector the firm dedicated to building
world-class cyber security programs for mid-market and emerging companies across the us silent sector also provides
industry-leading penetration tests and cyber risk assessments visit silentsector.com and contact us today
and we're back and we're diving right into the topic here of physical security controls let's talk
about that first of all would either of you kind gentleman care to share
what makes a physical security control what defines a physical security control
other than being security and and physical and then and then maybe provide some examples
the way that the way you asked that the way that you asked that just kind of kind of threw me off well and then as
soon as you said kind i knew you weren't talking about me yeah i was gonna say like who's he trying to get to say this
you might as well just say hey laurel do you want to talk about that yeah come on mike
give yourself the benefit of the doubt here you're nice-ish
sleeping comparatively yeah
gosh okay what was your question again i'm sorry is it about physical security something about yeah the physical of security yeah
talk about talk about um what's involved what types of physical security controls are out there um and um then we'll just
dive right in and go with it awesome okay well i guess at the most extreme you know there's the laser
cannon with chuck norris standing outside frisking everybody before you can get into your data center cage
so you know there's i think there's that right where we've got you know large you know large organizations that are
that are focused primarily in housing the computing resources that other companies are using right so your big
data centers and they're going to have you know the the security controls of badge readers there's going to be ram
parts that come up in the parking lot there's going to be a checkpoint in the parking lot before you come in
there's going to be a man trap room where you have to check in there's going to be a little a little kind of a a carousel you have
to get into no joke so think of that being at the airport going through the metal detector but it has doors on both
sides that you get in and so if you put your password in wrong you're stuck in there until someone
comes and gets you i'm not even joking this is like real stuff this is real stuff and so then once
you're in once you're into the to the ins and people that have seen this or probably listen to this kind of
chuckling right it is kind of funny but it's an extreme process to get into
the server room where your equipment would be located if they're hosting it for you right maybe you've got a cage
maybe you've got a pod right some of these like these airtight pods now that are that are more heat um eccentric and
and pulling air conditioning up you know from the bottom you know you've got keys to get into that thing so you've got to check those keys out so
it's everything i think from from the building itself right is is in itself a physical control to the the
personnel that are protecting it as part of physical security right those those personnel all the way down to just the
badge readers that get you in the door the keys that may get you in the door the cameras that are watching all of
that are all part of your your kind of physical control set um i would say long gas too but they don't use that anymore
[Laughter] it's also one that uh will weigh you
going in and weight you going out to make sure you're not carrying additional equipment oh that's right
yeah that's right yeah they've gotten some some pretty sophisticated measures at this point to
ensure the the integrity of of everything that stays in that you know i just told them the last time i did that
i said you can weigh me but don't tell me what it is yeah what if you just like ordered pizza
i mean is that going to show up like if you know like i can eat like a half a pizza so is that going to be like going to be like where you hide this 2 pounds
chavez like if you still ram did you still ram out of the server rack
you're hiding it in your god pocket aren't you you gotta they got a treadmill in there you gotta burn it off yeah before you
can get out yeah well in the future there might not even be gap you know like physical human guards it might be all robots and yeah
it might be like the droid factory in star wars where you know they you're not getting out until you meet the requirements you know
so there's you could take it definitely to extremes you know i think we've seen seen uh um examples of that and people
that have been in in the tech world have probably seen that certainly um you know
people working for government entities and things like that i've seen that that sort of stuff from
you know secure facilities and all that but um let's talk about in the sense for just your typical companies health care
companies financial services companies you know that have brick and mortar locations and
have some their own servers and own systems and such in-house where do we start when we start looking
at okay we know we have data that we're holding and we know it's sensitive we know we have compliance
requirements what do we need to do first to really understand what we need to
deploy when it comes to physical security controls for data protection specifically right
we're not talking about like stuff for active shooters scenarios and stuff like that but more just for data protection
where should somebody start i always start with claymores okay that's an accident well no no in
all seriousness though you should watch the very first resident evil movie because the red queen which is the ai
that's controlling the umbrella security um they actually the umbrella core computer
is guarded by a hallway of lasers that you have to walk down anyways yeah but watch that movie and
that should be your goal i think for physical security even if you're a small mom paw shop i think everybody deserves
a laser hallway that um cuts any intruders into small little pieces clean pieces too by that way you
know just like a lightsaber would so you can carefully yeah it's card right you can very easily pick that up later in a
bag you know what i mean it's not like going to make a huge mess so i think that should be the goal um so yeah watch
resident evil if one if i
where do you start how do you understand what exactly you need i'm happy with it
so are you going to start from the outside in or the inside out and now the question is you're going to start with the focus on the data
then you start about where the data is stored and absent of talking about software controls right acls and all
that kind of stuff you know the first thing is is access to the server are you using your terminal
or using console how are you getting to the server then it's how do you get to the server room are you going to lock
the server room or you can use key cards are you going to have cameras or you can have you know a log book or you can have
someone sitting in front of the server room like the old school days and you signed in and signed out
um so i mean that's where you start it's just lock up your data don't leave the
your server sitting in the cubicle in the middle of the office man you went back to the time when people used to man the data center like
that machine the way that was seen there so i you know i agree you know absolutely and and i think
you know it depends on the type of information so you know i think it from the outside in it it all starts with just a door that locks right i think
that's at a minimum right in a building that's not publicly accessible so you know you don't want to be in a
strip mall or you know i'd say like you know the the the malls of our generation are starting to kind of die off and i
wonder if businesses are starting to start you know the the mall orders are going to start ringing them out to small businesses and
stuff like that so that's not your real good idea of a place to put a business that's going to store sensitive data
because it's got a lot of public access right into that area so starting with the physical door and
and having at least a key um is is a minimum and then and then you need
i think the important part of the the physical security is because everybody who needs to be at the office has a need
to be there it's how do you prevent unauthorized persons from being there i think is the you know the kind of the
the trick of this physical security piece and so if you've got a door that is at least one way lockable where you
have to either ring a doorbell or knock or you know even if you just physically lock it you don't want
hobo joe to just be able to walk up and come inside of your office i think that is goal number one right aside from what
mike said about protecting the server room if you're gonna house your metal right but but if you if you look at some
of the frameworks like 171 alpha and things like that they have they have very specific control requests
for control and manage physical access and then also things like
you know protect and monitor and and so those things where you have to you have to not only protect the data
but monitor the access coming in and out that is in the area of the data and i think mike the current form that's where we're
going to get into the the the need for a camera and at a minimum log book of
visitors that have coming in you know what i mean exactly
yeah i mean you got to have you got to have some kind of documentation in control i mean sock 2
talks about it pti talks about it you have to have documentation of who is not an employee
that is on site that has anywhere any ability to have access to your data yeah so if you're like
yeah you have to do it if you're a small shop and um you know that you know it's it's
it's probably not appropriate for you to do a bunch of badge access readers right maybe you're an isolated location and
you know you still just may be storing pii and you know the the sense of information that belongs to your employees and maybe some of your client
data that you know might just be addresses and things like that um you should have a visitor log at a bare
minimum that you're recording everybody who comes into the shop to talk about anything should at least you know sign
into the log so that you have a record you can do it there's there's all kinds of cool digital technology that you can
do that'll take a photo and print out a badge for you um if you want to go that far um if if
you don't fall under any regulations though i mean like if you're not you're not sitting under nist or pci or anything like that i
still think at a bare minimum it does a good a good due diligence to just keep a record of all the visitors with a log
book and yeah you know it takes seconds to do it and it kind of makes you look professional
like oh people got to sign in here it's like a fancy restaurant i mean ideally they show their id too
you know so yeah i know you see it i mean you see it
all over the place now with um even just with ipads i mean you know for a few hundred bucks you can
you can deploy something like that and then um you think about these things too i mean
it can help from a you know business development perspective right they're going in they're logging in it usually
asks for your email or something like that or at least a name and then you got you know you probably have a crm and all
that so you can you can get more out of these than just having a list of people that came into your building you can you
know see who's interacting with you and follow up accordingly and all that good stuff so make it fun
yeah make it fun yeah there's some really cool stuff now if you if you have to if you have to answer to the you know
to the nist and the pci or overlords um then you know you have to you have to have a
complete process of not only just signing the visitors in but ensure that they're signed out
so you can manually do that and like you said zach there's some really cool programs out there that will
um auto registry so you go and you stand in front of the ipad and it takes your photo and it prints out a temporary badge for you and like you said it's
capturing you know your email address and things like that and then when you leave you have to do the same thing at the
stand in front of it and sign you know assigned to say signing out and then it you know validates who you are asks for
your badge retrieval and then you know says goodbye right and then you know the interesting thing is
it's keeping a record of visitors so when we're back on site at some of our client sites you know we've already been there before so it
says is this you yes would you like to update your picture you know those sorts of things so it's a really it's really handy i
think like you said zach from a business perspective not only providing that physical security you know checkpoint that you need for
you know just for due diligence and then as well as you know for the for the the nist and pci overlords it can give you
some saying hey you know this this individual's been here this many times um you know this is their email and so
you can use that for for business development information i'm sure well you can also use it for audit
tracking right if something bad happens every time this individual shows up yeah every time shows up wireless gets
weird like i don't understand what's happening you know there is that um but yeah i
mean it it's just important to know who's in your building and um so start with that and
um i can't tell you how many places we've been to where you just walk in the front door and wander around till you find the person that you need to talk to
and that should not be the case no and then yeah you bring up the next
point right where you know it you know to start all this right it starts with the lock and key and then it matures into having a log
book that you're logging in and logging out visitors and then it matures to the place where you're escorting visitors as
part of policy so you know the only place you're not escorting them to is the restroom right but you're standing outside as they go
in sort of thing and then and then and then you're moving into the place where now you've got cameras everywhere and you're monitoring
access to everybody so if there's an incident you have all these points of of um data to go back to to build help
build a story um to kind of you know demonstrate what happens and then as the next step is to you know have a
reception desk where you know either that's you know depending on the type of business you
are if you've got if you've got armed personnel or non-armed security personnel or you just have an individual
that's a receptionist that's just sitting there um you know taking taking the driver's license giving them a
visitor badge but that's that's kind of where it goes yeah except no cameras in the restroom
yeah no cameras in the restroom or the locker rooms i want to add two to all of this you
know you you have your your you know essentially three categories right your technical controls your administrative
controls and your physical controls but they're all tying together so as you implement these things you want
to have policy around them um so it's documented as well right so the staff for example sign
off that they're not going to just be letting people in the back door so they don't have to go through getting a badge
printed out right yeah yeah you got to stop your randos from coming in first right so
that that's goal number one and then you want to have you know you got internal employees that
might not you know if you if you've got if you've got an office you probably have a deposit okay if you're not having you don't have like a full it room on
site where you've got servers and things and you might but that's got to be limited access you should have an access roster
you know that the it runs that says okay these are the five or these are the ten or these are the two people that are allowed into these or into these places
and then they need to be secured right your i.t closets need to be closed up do not let somebody like myself or mike
come into your office location and have like an id closet that's open where we have access to your switches and your
firewalls
so i don't care if you got to put a stupid deadbolt in that stuff's cheap go to ace hardware get a hole saw i mean this is
all stuff that you can watch youtube videos and how to install a lock on a closet you know what i mean so right but you you don't want your your
non-authorized employees being able to access that stuff and you have to prove and you know i guess the point of all of
this is if you have to end up in court and you've got you've got attorneys asking you questions it's gonna look
real bad when you're like was there a lock on the door to the i.t closet in the break room and
you'll be like well well no you know and so it's just going to be hard to show that you you you went
through any kind of rigor or even just a just minor trying of trying
to secure that that networking closet where that data is flowing across right so so don't don't make those mistakes don't
let mike in there well and time and cost is not justifiable right i mean
no i mean a seven dollar lock and fifteen minutes worth of your time or just change out the doorknob for god's
sakes i mean it it you just i mean there's those are the minimum things that you
need to do and and uh you know going back to saat2 and pci and that sort of thing for stock too if your production
data is in the in amazon say aws you can piggyback off that for your
physical controls for your data to help pass the audit that being said you still
need to secure the stuff locally right so yeah that goes
that goes back to you know i don't know these are kind of hybrid physical controls but we're talking about clean desk
you're talking about locking your computer you're talking about you know turning the computer off um you know
those sort of things now i hated the nitpicky stuff about you must wear your badge
at chest level not at the bottom of your shirt or on your belt you know stuff like that just it's annoying to your
employees so you gotta you gotta balance that out too from
you know just yeah i i always say that the the first you know the first weapon we all have is
awareness right i mean so that's situational awareness and i think that's something that's important to teach if
when you've got to put in these physical controls it's important that the employee base also is part of that culture and that they're looking for
unescorted visitors as an example so i think a good way a good way to test this is you know we you know is with a
physical security assessment and we can figure out not only you know how good your physical
controls are your doors but how aware your people are you know i'm i'm successful because
um of breaching the perimeter because people are friendly and people are always willing to
open a door for you if you've got your hands full or you know you look like you're you know lost or something like that right everybody's willing to kind
of side on the side of good and they'll allow you to come in and and so it's it's human nature to want to you know
trust everybody so you know part of our job is to you know you know as bad as i feel about us to
betray that trust essentially right to prove a point that there needs to be more situational awareness than the humans that are that
are employed at your location so that they're they want they can be nice but they need to do it in a professional manner that
doesn't bring risk to the organization you know again because you don't want to let me in or might get into your
physical location like once we've gotten in and you've got computers in offices it's too late
you've blown our covers we can no longer do
cause any harm um you know and and um another thing i'll add is that you you
also have so you have preventative controls right and and these these
controls in place to um ensure that people aren't getting into
areas that they're supposed to but you you also have um [Music] basically
the ability to deter any potential um threat not any potential threats but
deter potential potential threats by making your organization look like a harder target
for attack a simple example of that is just cameras on the outside of the building that are visible
right that's that's going to be one thing that yes they're actually monitoring what's going on
but um they're they're also a deterrent in a way just like signage
um even small fences and things like that are all little obstacles and little
things that make people think twice about doing nefarious stuff in your environment
i read something somewhere i can't remember so don't don't you know blow us up on this but i've read somewhere that
a camera that's off and exposed is just as effective as one that's on or almost as effective
as a deterrent as a deterrent yeah because you don't know you know
they sell those fake ones um i don't know if you've seen those but yeah the fake cameras that are
like five bucks you know and you stick them all over your building and they look like the real thing
is that security through obscurity yeah exactly um it's you know it's one of
those things where well you know if you're those of you all the you know we probably have
hundreds of thousands of listeners in the washington dc area right that might be uh that might be a slight
exaggeration but um you know as you drive all over the the suburbs of dc um you know out by rest and places like
that you go these back roads and there's all these little buildings that are um they're tucked back in the forest and
they have a huge fence behind them and um and the camera's pointing down at the at the front gate and all that stuff and
there's no markings or anything like that you you drive by those and it's like yeah those are that's probably not
one that i want to mess with right um just because they're they're kind of they're there for a reason right
and that's all by design there's a reason they didn't put them in that put that same office in the strip mall or you know the
the um you know shared office high-rise or something like that they're out there um protected like that
for a very good reason so just think about put yourself in the shoes of an attacker
or somebody you know potentially a malicious individual and think well what is what do i what does my organization look like
um you know to somebody malicious dude do i look like a hard target um and you can do it while still be
inviting to your customers and all that so we're not saying you have to have a you know 400 pound man with an ak-47
standing out by your front door um although that helps but um because some people not may not you
know take too well to that but you know put these things in place and and um
you know i think today i mean we could go into all kinds of stuff gates and fencing and
bullards and man traps and lighting and all this other stuff that goes into it but for
for the purposes of most people i think we've covered it pretty well i mean lock up your especially your data
centers your server rooms all of that keep it um
ideally under badge access but if you can you know if you can't do that lock and key and then have a good method to
escort people through the building that are visitors um having people log in and log out
um you know those are those are core functions are there any other kind of
basics or anything that you would share um that before we jump off here
um if you're dealing with nist and you've got like itar or cui data
and you're like a big manufacturing organization or something like that you can you can scope the physical security
the higher controls around where that data is resting so kind of like pci you can ramp the controls where
where data is is you know stored transmitted or processed and and then you know kind of leave
you know leave some lighter controls but i don't say don't ignore physical security controls if you're going to do this right and you still need to lock
your main office doors and have cameras if you're you know legitimate business and and if you if you can
um you know just get a ring you know i mean these these doorbell style cameras are inexpensive they work very
well you can stick one on any office door pretty much and you'll be able to you know have some form of visibility of
not only the mail when it comes right because you want to get those checks from people that are paying you or whatever the case may be but um also in
case something rando happens right so just you know keep that in mind but um you can de-scope some of the areas that
aren't processing storing transmitting but um you know make sure that you don't ignore physical security controls at all
and then you know um think of um you know your yards right if you've got if you've got big you know big yards for
for the manufacturing that you're doing that you know the fencing that you've got around the yard also needs to
prevent prying eyes so you'll need some form of like opaque uh you know the covering that goes on
the outside of the fence it's like a kind of a kind of a heavy kind of uh
like plastic you know what i mean yeah like shade cloth that goes around the outside of the fencing so that people
driving by especially if you're in a you know public area which most big manufacturing companies tend to be um
they can't look through the fence and see what's happening in the yard that sort of thing so keep that in mind too
actually sorry go ahead i was just saying an excellent point you
know visibility um goes a long way too you know can people see right through the windows onto the screen
that you know your staff just walked away from that has a bunch of phi up on it right if it's a healthcare
company or something like that um make understand a line of sight and um you
know window shadings or reflective tint things like that to prevent visibility into the building
sure well i mean if you want to get if you want to get super if you want to get super old-school hacker um you know it's
been you know this has been known for a while but you can run red lasers in through a window
onto a computer and if rfid is is connected between the the keyboard and
the and the computer you can you can capture all those keys being processed so yeah and probably other information
too right and i think the you know the spy community has probably known about that for a long time which is why the government makes buildings tempest right
where lasers and those types of radio frequencies don't don't penetrate so i mean you know
you can certainly you need to do only so much right other than getting the chuck norris and the hallway of lasers
yeah you know i mean well they've actually done studies where air gap networks can get hacked based on the vibrations off
the back of monitors yeah right yeah that's crazy it's absolutely crazy but uh so
but i was also thinking back to the old cissp and i know they changed the format i don't know if they folded this into a
separate domain or if it's still there but there used to be a physical security domain for the cissp test and
certification that talked about the bollards and how high a light should be in a parking lot and
location of the building was a key thing you know where are you going to put it why are you going to put it there
you look at things as far as utility access road access but visibility into the building where
do you put the server room in a building where do you put you know keep the server room on the top floor no you put
it on the bottom floor or whatever i mean it's there is guidance out there for you some
of it is over the top if you're a small mom and pop company so just start with lock your data and then score people
through the building but it is one of the things as i do audits especially sock too people don't even think about it
and you need to absolutely don't build a uh don't build a diamond
exchange next to a main highway you'll probably get one yeah yeah yeah good point right next to the 711 off the
first off ramp yeah well outstanding thank you everybody for joining us i
hope this was helpful there this is a huge topic to unpack um i think we we
scratched the surface here there's certainly a lot more to talk about but long story short if you're a sizable
organization with a lot of physical presence just get get a consult and get some professional help to help you
understand how to secure your your data from the physical access perspective
and a lot a lot can be accomplished at the same time thinking about you know potentials for various types of
disasters that may occur where things are located all that good stuff um just get some help if if you have questions
on this um and there's lots and lots of information online of course um so hope this was beneficial for you uh thank you
for listening to the cyber ants podcast please rate it subscribe do all that stuff share with your friends so we can
get more cyber security information out there to the people who need it and the people who need some guidance so thank
you and we will see you next time