Social engineering and physical pentesting are topics that large organizations, especially in the financial sector, consider when evaluating risk. Yet, despite knowing the risks, criminals were still able to execute a precision hybrid attack against Barclays. CSO spoke to Rook Consulting (a security firm based in Indianapolis that deals with physical security assessments) to get their thoughts on this case.
"When put into perspective of the three elements of the enterprise that I always hear people reference (people, process, and technology), this is one of those circumstances that is not (in most cases) going be caught by any kind of technology on the network. This is going to fall into the other two categories," explained Mat Gangwer, a Security Consultant for Rook.
On the people side of things, security training and user awareness programs are key, Gangwer said. Employees need to know that incidents like the one at Barclays happen, how they should react if they suspect something nefarious is going on, and to know its okay to question an unidentified person walking around the office, as well as whom they should tell.
"For process, it goes back to the 'trust, but verify' model. Sure you can tell me you are an IT person coming to work on the computers, but I'm going to need to verify that is actually the case," Gangwer explained.
"Crimes like this are always going to be a possibility for companies. As we do our job and make it harder for these things to happen, the criminals or bad actors will work just as hard to find new ways to exploit the existing systems."
With that said, Gangwer offered some steps for organizations to consider when it comes to the process aspect of physical security. First, visitors should have proof of a time or meeting being scheduled, and that should be verified by the receptionist. Next, verify the person's ID, and make them sign in; and have their sponsor come and get them from the lobby and escort them around the office.
Another issue, which can lead to incidents such as the one experienced by Barclays, isn't the lack of physical security assessments, but the severe limits placed on those performing them.
"Financial services institutions handcuff their security consultants by not letting them act as a true rogue agent when conducting assessments," Gangwer explained.
To get the most out of an assessment, organizations should let the consultants take their gloves off and actually act like the criminals. Other than installing fear, intimidating, or harming anyone, everything else is fair game. Likewise, don't limit the consultant to just a week onsite, because sometimes the length of the assessment may need to be much longer in order to do the job right.
Sign up for CIO Asia eNewsletters.