How to Manage Access to Hardware Devices in Your Organization? The Myth Buster

Sepio Systems revolutionizes the way organizations manage access to their hardware devices, whether they are physically in the organization's offices or employees' homes. One of Sepio’s Co-Founders and CMO, Bentsi Ben-Atar, sat with us for in interview and busted some myths related to the way in which we manage one of our most valuable assets in our organization, the physical devices

How to manage access to hardware devices in your organization? The Myth Buster
Shutterstock

Myth #1: “The problem does not exist! If it does, it only exists in struggles between countries!”

In other words– “If the threat is truly real and, on the rise, why don’t we hear about it often?”

So, to answer your question-no! Most organizations are reluctant to share the fact that their assets may be at risk from attacks carried out by physical devices... This is because it reflects the organization’s physical security in a very negative manner. An alternate reason may be that they mistakenly thought a particular attack was caused by PHISHING or an employee who clicked on a link that somehow managed to infiltrate through the defense systems… When in practice, by using cheap and simple attack tools, it increases the risk and possibility to produce the same accessibility with the same forensic signature. The examination of information security standards (GDPR, CMMC, NIST) reveals that the topic of Hardware assets “stars” at the top of the list. Are you still not convinced? Let’s take a look at an example that does receive public resonance- ATM attacks. Here the "asset" is physically protected (safe, ANTI TAMPERING mechanisms) virtual (operating system hardening, Privileged users management, port locking, IDS, IPS, DLP) and guess what? 2020 was the best year (in terms of hackers) in which there have been the most successful attacks with the use of Black Box, (a Hardware device that allows USB MiTM to be performed) and using Physical Layer implants (attack via the network cable connected to the ATM). To what extent are your assets, which are currently connected to your employee's living room, better protected than an ATM machine?

Myth #2: “We are safe!” – In order to find out how well your assets are in fact protected, you need to find out what they actually are. Pop quiz! How long would it take you to answer this question- do you have (and if so, how many) Logitech wireless computer mice in your R&D department? When you must renew your maintenance contract for Hikivision cameras, does the Purchase Department ask how many of those you have? Are there any switches that have not undergone critical security updates? If you need more than 10 seconds to answer this question then, "Houston, we have a problem!”

True, you put a steel door with an infinite amount of locks, observation towers, deceptive scarecrows, but you ignored one important fact - the potential attackers are always smart and know how to make the necessary adjustments. Anything that is valid in the challenges of the physical world are also valid in the cyber world. Do you want an example? Please- when Hamas realized that the surface was almost hermetically covered by observers and other technological means, it made the necessary adjustments and moved below the surface, and for quite a few years, took advantage of the lack of identification systems in the field. In our world, the attackers know exactly what means of protection you have! They also know if your EPS, NAC, IDC are doing a good job with attacks that occur on LAYER 2 and above. Attackers have been able to figure out what the blind spots are in these solutions and have begun using attack tools on LAYER 1 (the physical layer). Let’s just say that they are enjoying the fact that most organizations have not yet closed this loophole.

Bentsi Ben-Atar
Bentsi Ben-AtarSepio Systems

Myth #3: “Who do we interest?”

Every organization has assets that attract external rivals. You are far more interesting than you think, even if you are not a nuclear reactor or a laboratory developing a vaccine for COVID-19. Other than the obvious examples of financial scams and critical infrastructure attacks that are always “starring” in the top stories, there are many more examples. If your competitor is interested in gaining information about a particular polymer compound you are working on, your HubSpot customer database, patent filings, a draft due diligence report before M&A that is conducted discreetly- they have two options. Firstly, to go "head to head" with existing security solutions and try to be smart enough to get around them. Second, to find the areas in which protection is sparse (if any).

If you examine the ransomware attacks, you’ll find out that this phenomenon is not limited to a particular domain or scope of organizations. Now that you have internalized that these attacks may penetrate an organization even through a hardware device, understand that you are a much more interesting target than you imagined. If you still are not convinced and would like to see a Live Demo of this type of attack with your own eyes, talk to us.

Myth #4: “We do not use USBs, and everything is blocked!”

A statement we have heard countless times, and what really is behind it is the use of pre-authorization capabilities in Device-control, EPS / EDR solutions that usually block storage devices, phones, keyboards and mice with certain VID / PID, etc. When the Information Security Manager is asked, “okay, so what do your employees use in order to type?”, the answer we get is, “oh of course, they use a keyboard!” Then when asked how the keyboard is connected, their reply is, “USB connection”. So somehow there has been an unclear distinction between "HID" devices and other devices. A keyboard and mouse will always be there, and as long as they are there, the devices impersonating them will also be there.

Myth #5: “Do I have a reason to worry if my employees use a VPN, VDI, or RDP?”

In the long run, at the edge of the computer system, there is a human who needs to type or navigate with a mouse. Attack tools that impersonate HID devices perfectly (logically), actually impersonate a human who types commands (with randomness in hard keys in order to prevent detection), so that the fact that the endpoint is in the cloud or REMOTE on a remote physical station does not alter or dull the attack efficiency.

Myth #6: “There is nothing to do. This is just another threat that we will have to live with!”

Finally, the good news! We have successfully created a solution that provides visibility to all assets in your organization (whether they are IT/OT/IoT), Policy Enforcement, depending on the type of device, the department in the organization, the specific employee at home.

And of course, the ability to detect attacks through USB interface (HID Emulators, NIC manipulators, etc.) or through the Ethernet interface (Passive taps, Spoofing devices, Unmanaged switches, etc.).

Our HAC-1 solution can be easily implemented. How easily? Give us 24 hours and see for yourself. The value that its unique capabilities provide, both for your IT and infrastructure people, and for information security people. Furthermore, its ability to integrate into your existing security system (through built-in integration with leading security solutions in the market) will BOOST your level of control and security, and most importantly, the next time that a potential attacker will examine your organization, he will prefer to move on to your competitors…

“Every organization has assets that attract external rivals. You are far more interesting than you think, even if you are not a nuclear reactor or a laboratory developing a vaccine for COVID-19.”

The Author is the Social Media Manager for Sepio Systems