With threats like phishing and ransomware, it's easy to imagine that all the dangers are coming from the internet. Often, however, where we are most vulnerable is not cybersecurity but rather physical security. For a hacker to break into our network from the internet, they would have to do so much. Brute force multiple passwords, thwart cybersecurity personnel, penetrate firewalls, navigate networks, etc.
Or they could plug into an open ethernet or USB port.
Today, we will look at some of the physical things we can do to prevent a cyberattack. We'll look at locking our computers, protecting our ports, and more.
One of the simplest security measures is to lock the computer when we step away from it. This suggestion seems obvious. We always log off when we go to lunch or go home. But we often forget this simple precaution when we step away for a minute. We're just going to the bathroom or grabbing some coffee. We'll be right back. Anyway, most of us trust our colleagues. We work together. And we believe that our computer is sacred. Surely no one here would violate our confidence.
The truth is that a bad agent needs just seconds to locate confidential information on our computer. They need even less time to install malware on it.
Yet preventing this is so simple. Lock the computer. Just hit either 1) Windows + L or 2) Ctrl + Alt + Delete and then Enter. That's it. When you get back, click the screen and enter your password.
Figure 1: Locking our computer is protecting our data.
What makes laptop and notebook computers so great is that they are portable. We can take our work with us anywhere. This portability is also what makes them so easily stolen.
This vulnerability has been an issue since the advent of these portable devices. As such, back in the 90s, the Kensington Security Slot was created. Since that time, electronic manufactures have included this K-Slot or Kensington lock in the vast majority of laptops. It works so well that the K-Slot is also on monitors, desktop computers, gaming consoles, and video projectors.
Insert the locking mechanism into the K-Slot. Then attach the other end to something immobile. Now your electronics aren't going anywhere.
Many of us work in regulated industries where we frequently have private and personal data glowing on our screens for anyone to see. This data is protected by laws and regulations. So bad agents look over our shoulders at our monitors to access it. This shoulder surfing may seem obvious, with someone breathing down the back of our necks. But what if we're on an airplane, and they are watching from the row behind us? Or what if they see us through our window, watching through binoculars?
Being aware of our environment is always good advice. But we don't want to spend more time looking around than working on our computer. As such, investing in a privacy screen is an inexpensive way to minimize shoulder surfing. Privacy screens make it so that only persons directly in front of the device can see what's happening. To everyone else, the screen looks black.
What's great is that privacy filter technology is available for monitors, laptops, tablets, and smartphones.
Look at that poor guy. He's carrying all those pastries and coffees and trying to fish out his access card to get into the building. He must be on his way to a meeting. Sure we don't recognize him, but he must work here, right?
Maybe. Maybe not. Clever criminals have learned that they can trick many of us into giving them access. If they seem nice, or desperate, or attractive, several of us will help them out. Or rather, help them get in.
Letting the wrong person in is a social engineering attack called tailgating. Sometimes they seem to be struggling to get in the door before we get there. More often, they come running up after us, asking that we hold the door. Either way, these bad actors want to take advantage of our empathy.
I hate this attack. Tailgating forces us to either be naïve or rude. Both of which, I detest. However, if we work in a secured facility, our job is to be jerks when we enter our work.
Since our wireless access points (APs) broadcast our network to everyone in range, these are encrypted and password protected. But we don't offer nearly the same security on our physical ports. Someone plugs a device into an open ethernet/RJ45 port. And the device configures itself to work with the network.
While sometimes this is a bad actor accessing our network, often these get misused by our staff. If the wireless reception isn't strong enough by an employee, this employee might plug in a wireless AP. Please don't do this. This device is a rogue AP. The issue is that these rogue APs are rarely configured with the same security safeguards, creating an opening for those bad actors. A rogue AP can be easy to spot as the SSID rarely matches the rest of the network.
However, a rogue AP with the same SSID is often an evil twin. This AP is not set up by staff but rather by a hacker. The goal with an evil twin is to intercept users' data when they use the hacker's AP. Instead of our staff connecting to the network, they connect to the hacker who connects to the network. Because of the hacker getting into the middle of this connection, this used to be known as a man-in-the-middle attack.[1]
The universal serial bus (USB) is one of the greatest inventions. We can plug seemingly anything into a USB port: keyboards, mice, flash drives, printers, charging cables, and more. And because this serial bus is universal, no matter what we plugin, it usually configures itself.
Similar to open ethernet/RJ45 ports, the problem is that this same convenience is also a vulnerability. A nefarious person can plug in a flash drive, especially one reconfigured to appear as a human interface device (HID). This drive runs a script, and the computer believes it's a person typing commands on a keyboard.
As such, it is best practice to disable any port not being used. Your systems administrator can go into the Device Manager and disable any USB ports, not in use.
Many of us have felt so desperate to charge our phones, we've been tempted to plug into any USB port. This compulsion is especially true when we're traveling. However, it is theoretically possible for a bad actor to configure this USB port to harvest your data and/or inject malware.
There are numerous ways to prevent a juice jack attack. First, you can purchase a charging cable. These cables have only two wires for charging a device instead of the four needed for charging and data transfer. Second, you can get a specially formulated USB condom. Once again, these adaptors let power through but prevent data from flowing. Third, and perhaps the easiest option is to use your AC adaptor. This adaptor will always keep you safe as you plug into a standard outlet.
An important note here, there are no documented cases of juice jacking occurring. As such, everything else on this list is likely more important.
When we focus all our security on virtual threats like malware and hackers, we leave ourselves open to physical threats. It's like we built Fort Knox with lions patrolling the perimeter and missiles locked on anyone at the gate—but leaving the screen door in the back wide open to whatever wanders in. With so many virtual machines, it's easy to forget that computers and networks are physical things.
And these physical devices are often really easy to hack.
While ITs and MSPs, like NexgenTec, are invaluable for cybersecurity concerns, we need your help. We need you. Take the precautions explained above. Implement them in your life. Every time you step away from your computer, hit Ctrl+Alt+Delete and Enter to lock your computer. Consider a Kensington Lock for any mobile device you need to secure. Ask for privacy screens for your devices, especially if you view sensitive information. Whenever you are coming and going from a secured door, don't let anyone else in. etc.
With your help, we can all be a lot safer. Thank you.
[1] Nowadays, this is known as an on-point attack.