OODA Loop

Understand tomorrow, today.

For Executive Protection, Physical and Cyber Security Have Fully Converged

Archive, Business, OODA Original / by

This OODA Network Member Only content has been unlocked for unrestricted viewing by RiskIQ through the OODA Unlocked program which lets community members promote thought leadership to a broader global audience.


OODA Loop Sponsor

 

 

 

 

Corporate and private security teams have well established procedures and practices for protecting the safety and security of their executives and clients which can include high net worth families and celebrities.  This can include tried and true measures like bodyguards, physical security measures around facilities and homes, secured vehicles with trained drivers, and a whole suite of protective monitoring technologies such as cameras, sensors, alarm systems, and panic buttons.

In the cyber domain, security teams are less practiced at personnel protection and often focus their efforts on protecting work systems and credentials.  In today’s hyper-connected world, physical and cyber security have fully converged and must be looked at as one unified security effort.

Consider the following ways in which cybersecurity can impact the physical security of an at risk executive.

Threat Intelligence and Early Warning

Threat intelligence derived from online platforms and the dark web can provide an early indicator that an executive is at risk.  Perhaps a threat is discovered via Twitter or sensitive residence information has been posted online. It could be that a threat actor is offering to sell informational details about an executive, or in some instances direct targeting is indicated by a request to purchase sensitive information.

Conducting a risk review is an essential first step in managing this risk and the review will include things like:

  • Availability of personal identifying information online (PII)
  • Availability of residence information online (e.g. an unlisted address)
  • Information revealed via social media platforms.
  • Threatening information posted in the open and dark web and on social media platforms.

In some instances online postings can be indicative of an attack or an attacker might monitor the executive (and their family) social media accounts.  Consider the following three real-world case studies.

  1. The child of a high net worth individual is kidnapped after the attacker saw that the mother posted travel information on Twitter (e.g. we are headed to get ice cream at the XYZ shop).  The perpetrator went to the location and attempted to kidnap the child.
  2. A celebrity receives a fake kidnaping request to personal number and the kidnapper knows what private number to call, the name of the school, and the child’s age making the claim of kidnapping seem legitimate.  The fraudsters had collected the information through an insecure school roster posted online.
  3. A family under high threat conducts a social media review for all family members.  One account is completely unprotected and any stranger can determine the family’s place of residence and vacation homes, the license plate for their vehicles, the name of their yacht, where they eat frequently, and includes a photo of an invitation in which all family members will be gathered together at the same place and time.

Each of these examples are based on real examples we have encountered in the recent past. Each reinforce the need to conduct periodic risk audits and then remediate any findings and incorporate the intelligence into your traditional protection activities.  A threat intelligence monitoring service can provide dynamic input to physical security teams regarding emerging threats as well as critical warning on geopolitical or industry-associated risks.

The physical security team should also make sure the cyber threat analysts are aware of physical compromises that could increase cyber risks as well.  For example, was an executive’s phone recently stolen? Did some steal mail from a residential mailbox? Have there been any successful or unsuccessful burglaries?

It is also important to expand the protection circle and recognize the value of monitoring and improving the cybersecurity posture of direct relatives.  Many times, the critical information leak that represents a risk to the executive is a result of indirect sharing or compromise of someone close to them. 

Executives should also ensure that all electronic devices are configured for high-security, especially when traveling.  For detailed cybersecurity travel guidance, please visit our Cybersecurity Guidelines for Executive Travel.

Protecting Security and IOT devices

Another key convergence between the physical and cyber domains as it relates to executive protection is the increasing use of network connected security, home automation, and IOT devices.  Consider the average house might include all of these devices connected to the same network and allowing a potential compromise vector:

  • Security cameras including camera enabled doorbells
  • Baby and infirm monitors
  • Smart locks
  • Internet connected thermostats
  • Smart lightbulbs
  • Home security systems
  • Other home device interfaces (from fridges to swimming pools)
  • Personal computers
  • Mobile phones
  • Music players (e.g. Sonos)
  • Smart hubs (Alexa, Siri, Google)
  • Streaming video devices (Apple TV, Amazon Fire, etc)
  • Console gaming systems
  • Televisions
  • Receivers, DVD players, etc.
  • Smart sensors (humidity, motion, magnetic, etc.)
  • Media devices (photo frames)
  • Disk storage (Synology, Drobo, etc)

For any given household this is a large attack surface, but the greatest risk comes from attackers leveraging an unimportant device (your DVD player) to pivot into a security device like a camera or alarm system.  This allows them to collect intelligence and impact the physical security of the location.

Consider a few real-world examples:

  1. Cyber attackers compromise the security camera system for a high risk executive with a gated property protected by armed guards.  The cyber attackers are also able to shoulder surf the house’s security system code which would allow them to disable it during a physical attack.
  2. A photo storage device with tens of thousands of personal photos is compromised, the release of which would not only embarrass the family, but provides sensitive information about family holiday locations, appearance of children, assets, etc.
  3. The Video conference system is an executive’s meeting room is compromised allowing an attacker to watch and listen to every conversation in the room.

How can physical teams work with cyber experts to manage this risk?

Best practices in cybersecurity should be part of any comprehensive protection strategy. Some key actions: 

  • Conduct a risk assessment of all IT assets at the residency and remediate any vulnerabilities discovered.
  • Work with network experts to segment devices into trusted and untrusted networks.
  • Make sure IT administrators keep all systems up to date and properly patched.
  • Implement an intrusion detection monitoring system to identify attempted and successful attacks so they can be properly mitigated and responded to. 
  • Consider use of network security systems to log mobile devices in the vicinity of the residence in question, since this may assist in forensics after an event
  • Before deploying new advanced technology to augment your security team, consider the information security risks.  What is the security model for that new AI enabled camera you want to install?
  • Make sure the communications with amongst your team and between you team and the client are secure through the use of end-to-end encrypted messenger applications.

Managing Social Engineering Risks

Another attack vector that can be used to introduce risk is through social engineering in which an attacker engages in electronic or voice communications to obtain information that can facilitate another attack.  For example, an email spearphishing attack might allow for a personal computer or mobile device to become compromised or an employee might give out sensitive or personal information to a phone caller masquerading as a service provider or partner.  In one instance we observed, attackers tried to lure a high net worth individual to a foreign location to kidnap them. 

These social engineering attacks might be coupled with other physical fraud activity like accessing household mailboxes or opening accounts.

In some instances, the perpetrators might be spoofing or impersonating the executive in order to drive other fraud activity.  Imagine the famous business woman who is successful impersonated on social media and has thousands of follower pointing those followers to malware enabled or fraud themed websites.

There are three primary means to managing this risk.

  • Threat intelligence can give early warning of potential attacks by monitoring the executive’s brand in a variety of domains including the open and dark web, social media, and traditional media. Monitoring should also include immediate family members.
  • Technical countermeasures can be put in place for identity verification, aggressive spearphishing monitoring and interception, and blacklisting.
  • Executives should be properly trained to recognize and report social engineering attacks.

Managing the nexus between physical and cyber security is possible with a deliberate mindset and full cooperation and integration between the two teams.  Physical security practitioners should view cyber defense experts as a vital component of their risk management strategy.

About Matt Devost

Matthew G. Devost is the CEO & Co-Founder of OODA LLC. Matt is a technologist, entrepreneur, and international security expert specializing in counterterrorism, critical infrastructure protection, intelligence, risk management and cyber-security issues. Matt co-founded the cyber security consultancy FusionX from 2010-2017. Matt was President & CEO of the Terrorism Research Center/Total Intel from 1996-2009. For a full bio, please see www.devost.net