Vulnerabilities Of Trusted Partners

pic-1By Emanuel Stafilidis.

The importance of protecting security systems from cyber attack cannot be understated. There is no system anywhere in the world that is safe from hackers. No one will ever be able to completely stop attackers, but they can make it harder.

Imagine a burglar is walking down a suburban street looking for a ‘payday’ and comes across a standard home with lights on, a high fence with a locked gate, cameras, an alarm, and so on. He could break in; he is capable and believes he could get something of value and get away with it. Remember, he is looking for a ‘payday’ and not just a challenge. He then notices a home close by is in the dark, has its front door open and it is obvious no one is home. Which one will the burglar enter? The point is, everyone should have security and it is no different online and with an IP-based security solution.

Security system designers, administrators and operators must carefully consider and protect against threats to the physical security network. It is conceivable that a vulnerable security system could be the opening needed to breach the facility. The vulnerability could allow the perpetrator to access the security network to compromise the security system or use it as the bridge to the corporate and other networks. Security managers must ask what can be done to minimise the impact of a breach.

To protect against the internal and external threats, some organisations are physically separating their IT infrastructure by creating a network for physical security applications that is separate from all other network use. However, this may not be practical because infrastructure and workstations on alternative networks are utilised for the security application.

Even if the network is completely separate and not connected to the outside world, the trusted insider still has access and can facilitate remote access through open ports or access points. Equipment lockdown is an important aspect of controlling general user access to functions and software that can lead to unauthorised system changes or interactions. Network security must be thoroughly implemented as if the system is open to the outside world.

The security manager needs to consider who will have access to the security network, who will administer the network and whether it is separate or connected with other networks. Will the security installation contractor or the end-user’s preferred IT contractor be authorised to access the security network? Who is trusted and how do managers know they are capable of always following procedures? It may be better to utilise the end-user’s existing IT department to conduct administrative services, including security of the network, because they are internal staff and are already responsible for securing the existing corporate network.

The security applied to the network must ensure that perpetrators are caught before they achieve their goal. If a perpetrator does access the security network, they must be quarantined before they steal, tamper, alter or deposit data. They must be restricted so they cannot turn on or off items that could render the physical and/or IT security systems useless.

A very easy way a hacker can penetrate a network is with the use of someone’s login details. The management of user details, including login information, is a very important task. The security manager must analyse his organisation’s policy and procedures relating to logging in to the network. Is entering a username and password sufficient to protect the security system? This form of login is single-factor authentication in that it only relies on something the user knows. If the user passes this single bit of information to someone else, then that person is able to login. This policy is insufficient, particularly when protecting against the trusted insider.

Two-factor authentication is still one of the best methods of protection – something the user knows and something the user has or, even better, something he is, like a biometric. A second factor, such as a card or biometric, greatly assists with the protection of the security network. HID Global are promoting the use of tap authentication, where it is possible to use an access control card to login to workstations and all other devices, such as mobiles and tablets.

Recent reports have shown that once in, the hacker can cause immense damage. A quick Google search will discover recent breaches at JP Morgan Chase, Sony, UPS, The Home Depot, Target (US), the citizens of New York City, Kaspersky and the Australian Government; the list goes on and on.

The majority of breaches reported appear to be debit and credit card data related. The news reports concentrate on breaches that impact large members of the general public, such as debit and credit card holders. This may give security managers of critical infrastructure a false sense of security. Further investigations reveal that every industry is being breached.

Target’s US CEO stepped down after the massive data breach at the end of 2013. It was reported at the time that Target did not have either a chief information security officer (CISO) or a chief security officer (CSO) in place. That begs the question, who was speaking about security matters at board meetings?

It is reported that 40 million credit and debit card records were stolen and over 70 million total records of Target shoppers stolen. Total records included name, address, email address and phone number. Target suffered a 46 percent drop in profits for the fourth quarter of 2013 compared with the year before as a result of the breach. They also spent $100 million on upgrading their payment terminals. The estimated cost to banks and credit unions to re-issue cards was $200 million.

A class action lawsuit against Target has resulted in a further $10 million proposed settlement with affected consumers. The settlement also required Target to appoint a CISO and maintain a written information security program.

Wikipedia reports, “The Sony Pictures Entertainment hack was a release of confidential data belonging to Sony Pictures Entertainment on November 24, 2014. The data included personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of (previously) unreleased Sony films, and other information.”

Reports on the Sony hack were that the breach was a super-sophisticated attack, but Joseph Steinberg of Forbes magazine believes that this seems to be an over-exaggeration. The lesson from the Sony 2014 hack is that organisations without a security solution that can limit damage internally are taking remarkable risks and being extraordinarily naive about the advanced capabilities of today’s cyber attackers.

In June 2015, Kaspersky, one of the world’s leading cybersecurity and research companies, discovered they had been under attack. They found malware in their networks designed to spy on them.

The Australian Government has in place a range of measures, including the Cyber Security Operation Centre within the Defence Signals Directorate and a dedicated cyber investigations unit within the Australian Security Intelligence Organisation (ASIO). The Daily Telegraph reported in 2011 that the Central Intelligence Agency (CIA) and Federal Bureau of Investigation (FBI) advised the Australian Government that at least 10 federal ministers’ emails had been hacked and the compromise occurred over a one-month period. Chinese intelligence agencies were among a list of foreign hackers that were/are under suspicion.

The Australian Government has also documented that a CCTV system installed within a significant site has suffered failures in the past due to “external influences”.

It is very clear that all network-based security systems must be fully protected. Network security must be thoroughly implemented as if the system is open to the outside world. The security applied to the network must ensure that perpetrators are caught before they achieve their goal. Two-factor authentication is still one of the best methods of protection and should be implemented to login to the physical security system.

Emanuel Stafilidis has worked in the electronic security industry since 1988 as a security systems integrator and a security consultant. Emanuel is an independent security adviser and can be contacted at manuelst2@gmail.com

%d bloggers like this: