Page 47 - EE|Times Europe Magazine - December 2020
P. 47
EE|Times EUROPE 47
OPINION | SECURITY
Think like hackers who try to physically
Know Your Adversary: break into sites.
Gaining physical access to a workplace can be
detrimental to a company’s secrets and much
Think Like a Hacker more. Site security establishes physical pro-
tection of the company premises. Although
there are plenty of measures to restrict access,
attackers are determined and may attempt to
By Lars Reger break or sneak into offices or production sites.
Some attackers may apply social engi-
neering tactics to manipulate employees
The pandemic has shuffled millions of people out of buildings and into divulging confidential information that
home offices, forcing them to work, shop, and socialize online. would allow them to gain physical access to
During this radical societal shift, the security ecosystem has a building. These can range from following
noted an uptick in cyberattack reports. Even before the pandemic, or “tailgating” to blackmail or even simply
IoT devices that collected and shared enormous amounts of data exploiting someone’s laziness, curiosity, or
were prime hacking targets, as well as entry points for scalable friendliness and willingness to help.
and lucrative attacks. The pandemic has seemingly heightened An attacker may patiently wait at the
the attractiveness of hacking. entrance of a workplace for an opportunity to
Security is constantly evolving, as most security experts will steal an access card that gets them through
tell you. The more barriers that are added, the more sophisticated the attacks become to the gates. Or the attacker may try to take
breach them. To complicate matters, there’s no single profile of an attacker. Some are “lone advantage of situations when fewer people
wolves”; others work within tightly integrated teams. Hackers’ motivations also vary. Some are around, or when people are likely more
try to find vulnerabilities as if they were working to solve hard-to-crack puzzles. Others ini- tired after lunch and enter with a crowd into
tiate an attack to steal data and money to enrich themselves and their gangs. Hackers’ skills a secure area. Hackers have been known to
are as wide-ranging as their software and hardware tools are sophisticated. drop a company-branded USB stick with
To guard against these attacks, many organizations gravitate toward structure and rules. malicious content installed on it into a com-
Unfortunately, attackers are difficult to predict. Seldom following any type of set structure, mon area. An employee might later pick it up
attacks are as diverse and creative as the individuals who perpetrate them. What can be done and plug it in, hoping to identify its owner
in such a set of circumstances? and return it. Such attacks can shut down a
NXP Semiconductors is very much involved with developing products that meet cyber- single computer and, if left undetected, even
security standards and creating the best practices needed to implement and test those affect entire systems.
solutions. This results in the foundation that our customers use to build secure products.
Ensuring that our employees understand the threats and are equipped to address them is a At a foundational level,
high priority.
companies should provide
‘SECURITY SCHOOL’ IT security training to all
At NXP, we’ve set out to help our employees understand their security environment and under-
stand the adversaries they face. We want these developing experts to think like hackers. employees, with the common
With this mindset, NXP established a “Security School” to teach employees how to rec-
ognize attack surfaces, become more fluent in the vocabulary of cybersecurity, and gain a understanding that a
foundational understanding of cryptography, security implementations, and system security. company is only as safe as its
The goal was to become more attuned to the nuances of security and to train our team mem-
bers to recognize common behaviors and patterns. weakest link.
We recognize that not many companies can put together the type of training we’ve assem-
bled for our employees, but there are some general guidelines that can help teams improve Training that emphasizes the importance of
their security posture. securing physical environments is particularly
crucial for companies that build highly sen-
Think like hackers who attempt to break into IT. sitive or regulated products and must follow
These hackers may enter a system by “riding” on a data packet through an internet cable or via certification procedures. At NXP, the audits
a wireless antenna. They may try to mount sophisticated hacks to control and manipulate IT that we achieve and maintain, including
infrastructures and systems to steal confidential information about customers, employees, and Common Criteria and Federal Information
intellectual property. Processing Standards (FIPS) certification,
At a foundational level, companies should provide IT security training to all employees, extend to how the staff is trained and how
with the common understanding that a company is only as safe as its weakest link. The central products are designed.
question that underpins this basic training is: What is IT security? The focus must be on the It’s not just the content of the training
general principles and practices of cybersecurity — starting with password and email security, that’s important but also the way it’s
document classification and encryption, and a full understanding of phishing scams and other delivered. Immersive in-person experiences
common threats. where mistakes are allowed often result in
A culture of security teamwork should be fostered, similar to team sports. Employees should learning that “sticks” and is better-
develop a team mindset that recognizes that an adversary scores when a weakness is spotted remembered. At NXP, we’ve used an “escape
and that every individual is essential to IT security. Employees should learn how to identify room” scenario that requires trainees to
and avoid scams and phishing attempts, use application security, and apply general advice to think like a hacker. In this format, a team of
secure their everyday work environment. employees must find the way out of a room by
www.eetimes.eu | DECEMBER 2020
