The following caught my eye during a review of the Cisco 2007 Annual Security Report, on page 16:

Blended Attacks Targeting Both Physical and IT Domains
In 2007, criminals demonstrated their evolving ingenuity by employing blended attacks to obtain sensitive information and evade detection. The most significant example of this trend was a string of attacks on Stop & Shop supermarkets in Rhode Island. Attackers broke into and vandalized supermarkets, leading police to believe the events were largely petty crimes. But during the break-ins, attackers tampered with the stores’ card readers to collect credit card information.

Of course, upon reading this there was a stream of attack ideas that occurred to me such as using a break-in as a cover for things like installing WIFI access to networks, card skimmers, key loggers, etc. Shortly after reading the Cisco report, I ran into a post on Black Bag (a physical security blog) about a TV show called Tiger Team. The TV show is about a team of penetration testers who (in addition to being very impressed with themselves) test complex physical security systems. I reviewed the first two episodes (which I have to confess I enjoyed), which are available via streaming video.

Interestingly, in the first two episodes (which is all I have watched so far…) the team always used a blended attack. There is a social engineering and digital attack as a prelude to the actual ‘theft’ in both episodes.

I think few people will face attackers of this sophistication, but the series is interesting nonetheless.

Cheers, Erik

Art of Information Security would love your feedback !

Blended Attacks and “The Tiger Team”