While there has been a lot of attention focused on protecting remote employees working from their home offices due to the coronavirus outbreak, IT organizations shouldn’t lose focus on potential threats from cybercriminals who can gain access to physical facilities that are now either completely or partially empty.
In the rush to quickly adhere to organizations’ remote work programs, likely, some safety measures were not instituted. For example, some employees may not have had ample time to properly shut down and log-off their workstations. IT teams may not have been made aware of which employees were permitted to work remotely or not.
As we often think of cybercriminals launching online attacks, we forget that at the end of the day, they’re just criminals who are also capable of undermining our physical defenses. A cybercriminal can pretend to be an employee and shadow a real employee who holds the door open as they enter the building together. Once in, they can break into a server room and install malware or devices to steal critical data. They can also login to an employee’s workstation and gain access to personnel files or even access an organization’s financial systems and wire money to themselves. The attacker can also shut down internet-connected security cameras or grant himself future access to the building by compromising the keycard system.
Responding to Physical Security Incidents
IT organizations should ensure that physical security is a part of their overall security and risk management program. The SANS Institute offers a comprehensive whitepaper on the topic of physical security that provides useful tips, guidelines and even key performance indicators (KPIs) to enhance security programs.
To reduce the impact of a physical attack, organizations should implement a Unified Security and Risk Analytics solution with User and Entity Behavior Analytics (UEBA) to monitor the activities of users and entities (including hardware devices and networks). UEBA solutions compare normal and baseline behavior to identify anomalous activity which could be an indication of a malicious attack.
One of the key benefits of UEBA is that it can protect critical systems even after malicious actors have gained access to network resources. For example, in the case of the employee who inadvertently left their workstation logged in before packing up to work from home, UEBA would be able to detect an attacker logging in from the workstation and downloading gigabytes of confidential files. UEBA can also detect the escalation of the privileged account which is a common tactic of malicious actors after they’ve been able to obtain an employee’s login credentials.
Automated UEBA systems that leverage machine learning and analytics can also help resource-strapped security teams. As we noted in an earlier blog, SOC teams impacted by the coronavirus are having to work overtime given the increase in remote workers and COVID-19 malicious threats. UEBA solutions are designed to reduce false positives, enabling security analysts to work more efficiently. Also, UEBA analytics models can predict what actions a compromised attack will take next to expand the attack providing incident response teams with the ability to prevent further damage.
As many IT organizations are struggling to stay vigilant with the coronavirus outbreak, it helps to leverage intelligent and automated solutions. We encourage you to learn more about how Unified Security and Risk Analytics can supplement your physical security defenses.