The Slowest Buffalo in the Herd.

You know that moment in a wildlife documentary, the one where the lions identify the slowest buffalo in the herd, then launch their attack. Have you ever stopped to consider what it’s like to be that buffalo? You weren’t always the slowest. Once upon a time, there were other, slower buffalos, however they’ve been picked off over time, or they’ve become smarter, or faster, till the only thing standing between those lions and their lunch is your ability to escape.

Cyber Security is a lot like that, with cyber criminals targeting whichever industry makes for the easiest pickings, and as various industries improve their security posture, the criminals move onto to the next easiest targets.

Right now, real estate seems to be the slowest buffalo in the herd. Before that construction, maritime, and healthcare were being targeted until they improved their security posture.

In the attacks currently targeting real estate and conveyancing, cyber criminals are inserting themselves in the middle of email conversations and online transactions to modify bank account details when settlement funds are being transferred.

The process isn’t all that complicated, or all that sophisticated, the attacker takes control of the conveyancer or selling agent’s email account, creates a rule to move any emails relating to a particular transaction then modifies bank account details and responds as though they are the conveyancer. The funds get deposited into the hacker’s bank account and the crime is only detected when the funds fail to appear in the receiver’s bank account.

Be it because we’re hidden by the rest of the herd, or because there are juicier targets than us, the physical security industry has been relatively untouched by targeted cyber-crime thus far.

As an industry, there tends to be a lack of understanding of cyber risk, a general failure to consider ourselves to be a target for attack, and a “she’ll be right mate” attitude. All of this has left us well and truly stuck in the cyber dark ages.

The buffalo model has three components – the lion, the buffalo, and the delicious buffalo steak dinner, or said another way, an attacker, a victim, and a prize.

The Lion

Like the lion, financially motivated cyber criminals don’t really care who their target is, their concern is the size of the payoff, the amount of effort required to achieve that payoff, and the risk of harm.

There’s some great work being done by law enforcement and government to take down criminal organisations, however as potential victims, there’s not all that much we can do to prevent them carrying on their criminal activities.

The Buffalo

Whilst we can’t change the fact that there will always be lions, there is a lot that we can do to prevent them from attacking us.

First and foremost, the physical security industry can make sure that it’s not the slowest buffalo. 

There is a lot that individual organisations can do to improve their security posture, but unless the physical security industry as a whole; manufacturers, software vendors, consultants, integrators, guards, installers, and end users agree that cyber security is important, and a fundamental requirement from end to end of the supply chain, we risk becoming the slowest buffalo.

Secondly, just like in the wildlife documentaries, sometimes, the buffalo kicks and runs and fights back and eventually escapes, so even if your organisation is targeted, hopefully, your defences will hold up.

It’s well beyond the scope of this article to create a cyber security program, and every organisation’s requirements differ, however the first step that every organisation should undertake is an assessment of their cyber risk.

Some of the elements to consider are:

  • What sensitive information does your organisation hold?
  • What value would that information have if it was obtained by a criminal entity?
  • What would the impact to your organisation be if access to that information was lost?
  • What are your essential IT systems – both traditional IT, and operational technology?
  • What legislation such as the Australian Notifiable Data Breaches (NDB) scheme and the European General Data Protection Regulation (GDPR) must you comply with?
  • Do you have, and would you benefit from cyber insurance?
  • What protections do you have in place for your information systems?
  • Who is responsible for protecting your systems?

All of this is traditional risk management, which most security professionals are familiar with, just applied in a different domain.

Take the time to assess your cyber security risk then engage with a cyber security professional to design and deploy appropriate cyber security protections for your organisation.

The delicious buffalo steak

Whilst the physical security industry may think it is not an appealing target for hackers, that’s not the case. Some of the information that attackers may be interested in include:

  • Site details such as names, addresses, alarm codes, rosters, site orders, and stand down passwords – all very useful if someone want to break into a site.
  • For technical security providers and consultants; as-built drawings and design documents detailing all the security technology at a particular site.
  • Lists of master and installer codes and passwords.
  • Upload / download software which would allow the exfiltration of codes or the addition of back door credentials.
  • Client and employee information.
  • Contracts, tender documents, and other commercially sensitive information

As well as sensitive information, there are the complex technology platforms that support our security operations. Whilst patching and software updates are key protective measures, there is a lot of security software still in use that won’t run on modern operating systems, or for which there haven’t been any updates for many years. Legacy operating systems and outdated software typically have poor defences against malware. If a guarding company’s roster and wand software system was held to ransom, what would the impact on operations and billing be?

Finally, there’s financial crime – most often via Business Email Compromise and invoice fraud. I’m sure there are many organisations who will update bank account details without any out of band validation. As is currently playing out with payment fraud in real estate, liability and responsibility can be a very vague in these instances.

Does it really happen?

Cyber crime can and does happen; each and every day of the week

In 2017, a Melbourne construction company lost $100,000 when their invoice was intercepted and modified en route to a client who paid the invoice into the fraudsters bank account.

Also in 2017, a major Canadian company was forced to pay $425,000 to restore its computer systems after suffering a crippling ransomware attack that not only encrypted its production databases but also the backups as well.

In a little under ten minutes, NotPetya spread throughout the IT systems of global shipping organisation Maersk, requiring the rebuilding of 4,000 servers, 45,000 workstations and costing the company around $300 million.

In June 2018, a Melbourne family lost $250,000 from the sale of their house after settlement details were edited in a compromised email account.

What next?

At the moment, we’re watching other industries get picked off, suffer varying losses, then improve their security posture.

We can either continue on our current trajectory, wait until the physical security industry gets targeted, then wring our collective hands; or we can pay heed to the circling lions.

I recommend the latter, but to do so will require a previously unseen level of co-operation across all levels of industry from manufacturer and developer to end user

Cyber Security is a lot like that, with cyber criminals targeting whichever industry makes for the easiest pickings, and as various industries improve their security posture, the criminals move onto to the next easiest targets.


If you would like some assistance improving your cyber security get in touch with us today.


Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology).

Simon Pollak is the principal consultant at STSC

You can follow him at https://au.linkedin.com/in/simonpollak  

This article was first published in the August/ September 2018 issue of Security Insider