Physical Schmizical – Why InfoSec Needs To Get On It

Abstract: Contemporary physical security practices were largely developed by former law enforcement professionals that viewed their work as “guards, guns, and gates”. Technology was viewed as an apparatus that limited access to protect the value of “physical” assets (equipment) and responding to critical events concerning life safety (people), dealing with active shooter, assault, fires, natural disasters, etc. Because information and physical security had different backgrounds, priorities, and cultures, they developed on separate paths and do not subscribe to the same principles.

If it hasn’t mattered to you in the past, then why now? The short answer is that physical security systems generally have poor cybersecurity designs, functionally are focused on mechanics and not security controls, and attackers are taking notice that this is a weakness that they can use to their advantage. They recognize that blended attacks which gain them elevated levels of trust and access, can get around the all-digital barriers that InfoSec has been singularly focused on.

Physical security systems had been analog until the last decade or so going through some transformation. The past few years many have become almost indistinguishable from those in IT. However, they don’t conform to commonly accepted practices, generally aren’t even audited – wouldn’t pass an audit. Keeping in mind that they’re now analogous to AD, domain controllers, and authentication infrastructure if poorly designed and managed there’s a range of possibilities that make attacks grin ear-to-ear. From getting into your data centers, taking over buildings to not let anyone in, installing devices, or social engineering targeted resources from within the four walls adds another dynamic that cyber analyst haven’t prepare for.

Terry Gold, who founded D6 Research specializes in F500 security program assessment, strategy and remediation in these areas. He’s gained access to dozens of end use program risks, events, program data, and has studied and designed adaptations to address these aspects.

This session will provide succinct visibility into the current-state of deficiencies regarding cyber security in physical security, how this undermines CISO objectives, and guidance as to how to bring forth physical into the corporate risk portfolio with parity and effectiveness.

Agenda for the Webcast

• Physical security charter, range of risks, portfolio
• General system and control principles
• Gap analysis between IT and physical methodologies
• Impact – Attack surface, gaps, blended attacks
• Examples that make you go “________”
• Where and how-to bring controls to physical security
• Applying IT governance to physical security
• Cultural transitions and sustainability
• Q & A
• Independent research paper on this topic will be made available

About Terry Gold

Terry is the founder of D6 Research a vendor-neutral research and advisory firm specializing in cybersecurity across the physical and digital domains. He’s spent the last 10 years integrating cybersecurity methods into physical security.

At D6 Research, he’s been dedicated to research that challenges common industry practices leading to improved outcomes where he’s developed the industry’s first in-depth threat model and next-generation controls that are in used across some of the largest corporations.

Terry is frequently published in media, D6 Research reports, presents at various conferences such as DEFCON where he “trains the hackers”, and serves on a variety of security organization and conference boards.

RSVP: https://www.eventbrite.com/e/133063649959