Organized crime groups are increasingly looking at ways to physically access IT infrastructure via insiders in contracting firms, police cyber-chiefs have warned.
Shelton Newsham, manager of the Yorkshire and Humber Regional Cyber Crime Team, reportedly told the SINET Global Cybersecurity Innovation Summit last week that gangs are placing their own people in cleaning companies, in order to target corporate networks.
“Exploitation of staff is a key area”, Newsham said, according to CBR.
“Organized crime groups are planting ‘sleepers’ in cleaning companies that a procurement team may look at bidding for. There’s no way of auditing their vetting. They’ll also using people in painting and decorating firms; anyone who has out-of-hours access to a building is fair game.”
Jake Moore, cybersecurity specialist at ESET, argued that both cyber and physical security are crucial to maximizing protection of corporate assets, but that it’s a difficult message to get through to the board, especially given the costs involved.
“The best way to realize a business’s own flaws is to conduct a basic penetration test that involves both physical and cyber-threat vectors, and this will easily highlight where those risks lie,” he added.
“It would be arrogant to think that your business does not have weaknesses, so it is best to test these out using red team professionals who will acknowledge any weak points that need addressing.”
The warnings from Yorkshire police echo those made at Infosecurity Europe last year, when Holly Grace Williams, technical director at Secarma, argued that physical intrusions too often go unreported by staff.
CISOs don’t just have to worry about cyber-criminal gangs exploiting physical access to target IT systems. Last year a former college student pleaded guilty to vandalizing computer equipment at his alma mater, the College of St. Rose in Albany, New York.
Vishwanath Akuthota used a “USB Killer” device he bought online to destroy IT kit with an electrical charge.