Authored by: Morey Haber, CTO/CISO at BeyondTrust
Cyber security in movies is so grossly outrageous that I blech out a cynical laugh whenever I see hacking attempts portrayed in productions like Mission Impossible, War Games, and even Fast and Furious. Threat actors, regardless if they are the good guys or the bad guys, almost never hack a computer by sitting in front of its monitor and keyboard. In fact, based on major breaches that have occurred in the last few years, almost every breach occurred remotely. The ones that haven’t are typically associated with some form of insider threat and direct access to sensitive systems and data. And that, in itself, is statistically rare.
If you consider all the attention placed on physical security, you quickly realise that modern threats and attacks are completely unrelated to the best biometric door locks, guard gates, and camera systems. If the asset is connected to the Internet, even through multiple hops via a networked workstation, physical security is completely irrelevant to a threat actor. In fact, if you dispose of equipment and do not properly wipe its storage media and firmware-based management system, all the physical security you applied to those devices in production just went out the door as the devices are being recycled.
Now consider access to the resource itself. With physical security, multiple forms of authentication and surveillance are applied before you could even touch the asset. This includes even the keys to the server rack on a raised floor and even with that, it still does not give you access to the sensitive data residing on the system. Remote access, however, bypasses all of the physical controls and potentially gives you direct access to the data. Only a secure remote access technology and least privilege can stop you from this attack vector when some form of remote access is available to a potential threat actor. In fact, all remote access sessions are some form of privileged remote access so why won’t you protect remote access with at least similar (or better) security controls than physical access? Unfortunately, based on modern breaches, we are failing to meet the strategic need for threat mitigation.
To that end, we need a better approach that treats remote access with the same vigilance as physical security. Consider this simplified table mapping potential physical controls to electronic remote access controls:
While not everything perfectly lines up, the comparison is striking. Organisations place a massive amount of risk mitigation prioritisation on ensuring physical access is secure but fall short on electronic remote access controls despite it being the preferred method of threat actors to gain access to systems. While this does not negate the need for physical controls or make a valid argument for forgoing their presence, it does beg the question if funds are available, where should they be applied? A new door lock or biometric system, or to a secure remote access technology to assist with contractors, vendors, and remote employees accessing systems while out of the office?
As the CISO for a leading privileged access management vendor, I choose the latter. This is especially true when physical access controls are not a number one priority for me due to the overwhelming presence of cloud solutions. I rely of my cloud providers and SaaS solutions to protect against physical threats but I cannot rely on anyone else but my team to protect against remote access threats. This helps me make my argument. Physical security is a moot point when you allow remote access especially when you have no control over any of the physical security aspects of the technology used to enable your business. Therefore, for security controls, I need to protect the number one attack vector in my control, and that is remote access.
Finally, for my organisation, I am lucky. BeyondTrust produces a leading remote access solution for just this use case with all the security controls necessary to match physical security with electronic security. So, for my own use case, I drink my own champagne and utilise the solutions we make and have placed remote access security a priority above physical security. Don’t worry however, physical security is still quite strong. But it does warrant the question, how is your remote access protected?