by Deanna Zammit
“What keeps me up at night” is a series where top security experts reveal the threats, technologies, and tactics that keep their industry constantly on its toes. As regular citizens, we don’t know the half of what’s going at the highest levels of national and international security (the true volume would probably induce mass panic). These experts can help give us a better idea of the type of threats we face, and how we as a society can protect against them.
Michael Glasser is a physical and information security expert who has spent nearly 20 years designing and testing physical security solutions for corporations, universities, museums and governments around the world. Among his many skills is red teaming: systematically examining a facility’s security strengths and weaknesses, then exploiting those weaknesses to breach your defenses.
In other words, people hire him to case the joint and break in. At ISC East this past November, his talk was one of the most popular at the event, so we were eager to sit down and find out what he thinks we all should be thinking about now.
What is the most pressing security threat that faces us today?
Short answer: Cybercriminals who disrupt our day-to-day
The typical dependency on technology for daily activities is often undervalued by physical security professionals. Many cybersecurity professionals focus on the typical threats to data privacy, identity theft, ransomware, account security and similar. Attacks on SCADA networks (power grid, water, traffic lights), transportation (planes, trains, and trucks) or communications will be incredibly impactful as they happen.
How many real-world problems would come from a simple cell phone outage? People racing home because they can’t contact their kids, resulting in accidents. People dying because they can’t call an ambulance. Have you ever seen the panic on a 20-something’s face when they forget their phone?
What is the biggest security threat on the horizon that we don’t know about?
Short answer: It depends on who you ask.
The security community has various people with varying levels of expertise and vision into future attacks. This week I read about a red team that is shipping cellular-attached WiFi attack computers to their clients during pen tests. The packages then sit in the client’s environment waiting to be opened for an extended time, allowing hackers the time and distance they need to safely launch an attack. This was noted as “new” in the article. Nothing new about this – just perhaps not written up. How many spy movies have mailed a holiday gift to a person with a GPS tracker or microphone in it? If you make it something nice enough to require it to be plugged in, it may allow persistent access.
What can we do to address these threats now and in the future?
Short answer: Move beyond security and examine risk management.
Just because there is a vulnerability, that doesn’t mean that we need to fix it. Resiliency planning and prioritizing your resources are critical. Designing security into environments and products from the start and throughout the lifecycle is critical. And even if we do all that, we must accept that a skilled and well-resourced attacker may eventually be able to gain privileged access.
The same principles that were true hundreds or thousands of years ago are still true today. Good security hygiene and following the basics will help us down the road. Focus on good, educated risk-based decisions. Then when something bad happens – stick to your decisions, support your team and learn accordingly. Adapt if you have to or maintain the same program if it worked as planned.