Physical and cyber threats collide in data theft incidents at N.J. businesses
For years, cybersecurity experts have warned about the lengths that criminals will go to in gaining access to the network of their intended victim, including exploiting flaws in an organization’s physical security program to achieve their goals. Some security practitioners brushed aside these concerns convinced that these so-called “hackers,” often portrayed as socially awkward misfits in movies and television shows, lacked the skills required to bypass not only access control, video surveillance and other technology systems at their disposal but also the combination of guards and an attentive workforce.
However, the comfort that CSOs and other security professionals had in the ability of technology and people to stop these network intrusions is now lacking following the arrest of a New Jersey man who recently admitted to trespassing on the premises of two businesses in order to break into their computers and steal data.
According to an indictment filed by federal prosecutors, beginning in February 2017, the suspect, identified as Ankur Agarwal, 45, walked onto the property of an unnamed company (Company One) and installed hardware key-logger devices onto their computers. Agarwal was then able to use the keystrokes recorded by the devices to obtain the login credentials of numerous employees. He also connected his personal laptop computer to the company’s network and gained the ability to remotely access it. Prosecutors say he later used this remote access to steal, transfer and exfiltrate data from the company.
“Agarwal specifically targeted data related to the Emerging Technology and the employees assigned to work on the Emerging Technology ("Emerging Technology Team"). Beginning in or about March 2017, Agarwal created a computer code designed to exfiltrate data (the "Exfil Script"). From in or about March 2017 until in or about September 2017, Agarwal executed the Exfil Script against multiple computers used by the Emerging Technology Team. Using these tactics and methods, Agarwal stole data relating to the Emerging Technology and personal information associated with multiple members of the Emerging Technology Team,” the indictment reads.
Just a year earlier in 2016, Agarwal trespassed on the premises of a different unnamed company (Company Two) by using the identification of another person. Prosecutors say he then obtained an access badge that gave him continued access to the premises. As in the aforementioned incident, Agarwal used a key-logger device to obtain the login credentials of several employees which he then used to remotely access and steal data from the company.
Agarwal recently pleaded guilty to two counts of obtaining information from computers and a count of aggravated identity theft. He is set to be sentenced in January and faces up to 12 years in prison for the crimes.
The Need for Convergence
According to John Gomez, CEO of Sensato Cybersecurity Solutions, this incident reinforces the need for convergence between physical security and cybersecurity defenses in organizations.
“All too often we see that as a separate world, and I would say in the majority of organizations, you have your physical security and cybersecurity but I think people need to take more of a global look at how that security intersects,” Gomez explains. “This actor got the key cards to get in which is physical, which we know, and then proceeded to do things on the network. There were some simple things on the network that probably could have prevented this attack or reduced the effect of it like network access control and things like that, but when we start looking at whether an employee is logging into a workstation or connecting to a workstation from a location they shouldn’t be in – those kinds of metrics and overlap between physical and cyber – you don’t see it if you don’t have that kind of integration.”
Dan Dunkel, Managing Director of PSA Security Network’s Managed Security Service Provider (MSSP) program, says this intrusion also highlights the need for organizations to deploy network security tools that now have the intelligence to determine if login credentials are being entered by authorized users.
“When you enter a building today with your ID card or smartphone and they know you’re in the building – typically it takes you five minutes to get to your desk and log-in – if they have software that actually understands your login characteristics, in other words it’s not going super-fast so you’re not a machine and you’re a one finger or two finger typist but now all of a sudden someone is racing through the keyboard, from an anomaly standpoint that may not be you,” says Dunkel, who has served in executive positions in both cybersecurity and physical security firms throughout his career. “More importantly, if you use your login credentials to log-in to your building and somebody is accessing your computer and you’re not in the building there are red flags that can go up in that situation.”
Getting Back to the Basics
One of the biggest challenges to implementing an integrated security approach, according to Gomez, lies more in internal corporate politics than in actual technical barriers.
“Do the security officers in an organization report to the CIO? Does the IT security team report to the CIO or do they report to someone else?” Gomez asks. “That’s where we’re going to have challenges as defenders is in the cultural impact and the organizational models that go with trying to integrate cyber and physical security.”
Gomez adds the many businesses simply aren’t doing some of the most basic of things to prevent these types of intrusions. “If you get into an organization and no one is challenging you at the physical level, they don’t recognize who you are, then they’re not doing some of the most basic of things,” he says. “If you’re walking down the hallway and see you someone you don’t recognize and they’re in a location where, even though they have a lanyard around their neck, people should be trained to say, ‘Hey, who are you? What are you doing here? Those little things aren’t happening.”
Despite the success of this attack, Dunkel says the fact that there are still so many unsecured endpoints on corporate networks and that more on coming online everyday means that locking down devices and systems will still a be much larger concern for most organizations in the future.
“As the Internet of Things (IoT) starts to play out, you’re going to have a lot more devices that are connected to the internet that don’t have any security on them so that the actual breach surface, if you will, is a lot wider and when you start to get to a point in the next few years where 5G networks are in existence, criminals are going to be able to steal things a lot faster,” he adds. “You’re not going to have to breach a network and steal things at a slow pace hoping that you won’t be caught. The networks are going to be so fast almost everything you’re stealing will be done in the blink of an eye. The technology is almost playing into the hackers’ hands from the standpoint of being able to do these things through the network rather than having to breach a physical location because that just improves your chance of being caught.”
However, the overall simplicity of this attack combined with its effectiveness should be alarming to every security professional, according to Gomez.
“This guy basically used some very low-tech approaches. The hardest part of this attack is that he got a key card and was able to duplicate it. Once he had that he was in, he was unchallenged, able to enter and exit at will, and leave behind technology and garner data from it,” Gomez says.
About the Author:
Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].