Mike Wills - The Official (ISC)2 SSCP CBK Reference

One major caution: What you are about to do is tantamount to penetration testing, and to keep that testing ethical, you need to first make sure that you're on the right side of law and ethics. Before you take any action that might be construed as an attempted penetration of an organization's information systems or properties under their control, gain their owners and senior managers permission in writing . Lay out a detailed plan of what you are going to attempt to do, why you propose it as worthwhile, and what you anticipate the disruptions to normal business operations might be. Work with them to specify how you'll monitor and control the penetration test activities and how you'll suspend or terminate them immediately if required. As you learn with each step, err on the side of caution and go back to that management team and ask for their written permission to take the next step.

At a minimum, this will keep you out of jail. It will enhance your chances of staying employed. It will also go a long way toward increasing the awareness of the threat and the opportunity that your management and leadership stakeholders have to do something about it.

The vast majority of businesses and nonprofit organizations have almost nothing to do with national defense or with international intrigue; their leaders, managers, and owners see themselves as light years away from international terrorist plots or organized crime. And they probably are. Unfortunately, this distance can bring a false sense of security with it, one that turns off their imagination.

In virtually every cyber attack, the target is the data that the organization holds. Data about their employees, their customers, or their suppliers; or transaction histories with their partners and their banks. Attackers may have far more reasons for finding value in your data than you think.

Without your data, you can't operate. With your data, your attackers can gain in ways you don't have to imagine in order to stop cybercrime in its tracks.

From early reconnaissance and target selection onward, an APT actor will need to see, sense, observe, and probe at your facilities, your people, and your IT systems. You need to balance allowing these contacts for legitimate outsiders while not making it too easy for a hostile agent to learn too much. You don't control the Internet any more than you control the physical spaces outside of the property line around the buildings your company occupies, but you can and should consider what you choose to make visible, audible, or otherwise physically observable, for example, via:

Visual line of sight, depending on the sensitivity of the organization's operations. Line of sight might be obscured by limiting windows in construction, covering windows in sensitive areas, obstructing views with landscaping/formation, or other means.

Vehicular approach, including roads and driveways toward the property/facilities. For secure facilities, these should deter a straight approach to disallow a drive to build up excessive speed and should include obstacles with bollards, barriers, or retractable tire spikes.

Movement patterns of your workforce can reveal when they're working a special, important activity that demands a surge of effort, versus a normal routine pattern of arrivals and departures.

In the digital domain, use periodic black-box ethical penetration testing techniques to examine all publicly-facing information that your organization makes available on web pages, via e-commerce or e-business connections, and even in advertising and print media. Port scanning and network mapping also may show you spots where your systems reveal too much about themselves.

At the outer boundary of the property, security controls can be implemented for access control.

Fences/walls: While generally seen as deterrent or preventive controls, fences and walls can also be combined with additional mechanisms to offer detection capabilities.

Cameras: Cameras serve a deterrent purpose but can be combined with monitoring capabilities (such as guards watching a video feed or motion sensors) for detection functions. Know that it's fairly easy for dedicated attackers to separate the cameras that are actually monitored from those that are “perimeter dressing” and most often ignored.

Buried lines: While these serve no deterrent function, underground sensors can be used for intrusion detection within the border of a property.

Access control points: Guard stations or gates can be staffed or equipped with additional mechanisms (card readers, cameras, turnstiles, etc.).

Patrols: Guards (human or canine) can provide deterrent, detective, corrective, and recovery controls.

Motion sensors: There are a variety of technologies that support the organization's ability to surveil the perimeter and any area outside facilities, including the cameras and buried lines, as well as microwave, laser, acoustic, and infrared systems.

Lighting: Well-lit areas serve both deterrent and detective purposes. Continual maintenance of all lighting sources is crucial, as a burned-out or broken bulb can defeat any security benefit the light might provide.

The most dangerous workplace location is the site where vehicles and pedestrians meet. It is imperative to include sufficient lighting, signage, and conditions (width of right-of-way, crosswalks, etc.) to minimize the possibility of threats to human health and safety. Monitoring is also useful, as parking areas are often locations that are accessible to the public and have been frequently used to stage criminal activity (workplace violence, robbery, rape, murder, etc.).

If the parking structure allows for entry to the facility, this entry should be equipped with access controls, and all entryways should feed to a single reception point within the facility.

Generators and fuel storage, as well as utility access (power lines, water/sewer pipes, etc.), should be protected from vehicular traffic, either with distance or with additional physical obstructions. There must be sufficient access for fuel delivery traffic, but this should be severely limited to reduce risk.

In addition to the other entrance controls already mentioned, the entry to the facility might include the following:

Reception staff: This includes guards or administrative personnel who observe people entering and leaving the facility.

Logging: This may be as technologically rudimentary as a sign-in book or combined with sophisticated badging/monitoring capabilities.

Flow control: Turnstiles or other mechanisms ensure only one person at a time can pass, typically only after presenting a credential (such as a badge or biometric element).

In addition to the other access control elements used for maintaining physical control of the workplace environment listed elsewhere in the book, the security practitioner should be familiar with the following:

Safes: Secure containers that can offer protection from unauthorized access, fire, water damage, and, in some cases, chemical contaminants. Both the safe itself and the lock on the safe should be rated by a standards body for specific criteria, according to the particular needs of the organization.

Secure processing areas: Specific areas within the workplace that are set aside, both administratively, technically, and physically, from the rest of the production environment. These are typified by secure entryways, severe limitations on personnel access, hardened structures (walls, no windows, etc.), and electromagnetic shielding. In the U.S. government sphere, these are referred to as sensitive compartmented information facilities (SCIFs), although the term has begun to see wider use in nongovernment activities in recent years.