The following tip was provided by our friend, Jim Edman, CISA Cybersecurity Advisor for South Dakota.

We spend a majority of time talking about the software and hardware vulnerabilities and related aspects of cybersecurity. It’s important that we remember the physical aspects also. Though we are a small state and considered by some to be somewhat geographically isolated, a critical aspect of cybersecurity continues to be the physical aspects. Reports surfaced this week of Russian nationals attempting to gain access to critical infrastructure facilities across the country. Recommendations for in-person and voice I/T support include:

a. Anybody can create a badge and a logo – don’t believe an identification on its’ own; Ask for multiple forms of identification (business cards, driver’s licenses, company contacts, etc.). Always ask for credentials to identify the individual and company they represent;

b. Find a phone number on their web site to call for confirmation.

c. Who made the call for I/T Support? Somebody from your organization would have to have made a request;

d. What is the specific problem? The more they talk, the more likely that their ‘story’ gets weaker;

e. Ask for the individuals Manager & phone number (during IRS audits at state government, I routinely asked for badges & supervisor’s phone numbers. I would then call the auditor’s supervisor for verification). If doing a security audit – shouldn’t we practice what we are promoting? Don’t feel bad about getting additional confirmation.

We once contracted for a physical audit/social engineering exercise. The contractor was able to get carte blanche access to the facility because of the attacker’s gender, she had a badge and she talked the business. Sometimes our ‘customer service’ nature overrides our security concerns. I/T support staff will respect the additional safeguards your organization does to practice good cyber hygiene!