printer friendly version

Cyber-securing physical security

You can’t kick a rock these days without hearing about cybersecurity and the Internet of Things (IoT). At the same time, you should not be talking, reading or hearing about one of these without the other.

In an age where more electronic devices are being connected and transmitting data, cyber threats are growing because there are so many more ways that cyber criminals can get into networks undetected to commit their criminal deeds. In the physical security world, the very devices we install to improve security can and have been used as access points, allowing nefarious actors to access and manipulate networks and data. The public exposure given to botnets and malware making use of physical security devices and their vulnerabilities is widely available for all to see.

We are now in a situation where the products we use to secure our premises, assets and people from physical attack need to be secured against digital attacks. The security manufacturers have come a long way in making this happen, but they still have a way to go. The biggest problem remaining, however, is that just as a company is not secured by installing antivirus software on its PCs, you are not secure using secured cameras or access points. Security is a holistic solution, as criminals can easily find a vulnerability somewhere if the whole system has not been designed to be secure.

Getting the basics right

Jim Green

When it comes to security, especially with the move to IP-based security networks, the first port of call in securing your installation is to ensure your network has been set up with security in mind. Jim Green, CTO of Gold N’ Links Cyber, explains that, at a basic level, it is important to isolate your physical security networks (access control and surveillance networks, for example) from your internal networks by means of network segmentation.

“This means that the access control network should have a separate IP address range from other more sensitive internal networks, such as your endpoint computing and server networks. This segmentation can be implemented on your network switch together with the registration of the hardware (MAC) address of each device to provide a form of network access device control.”

He adds that although there are ways to get around this, it will at least raise the barrier to a hacker. Taking this approach further, the network segmentation could be implemented on a firewall through the creation of security zones to increasingly isolate these networks from your internal networks.

“Rules and various types of packet inspection capabilities can then be added to further strengthen these defences. Firewalls and some switches can provide some form of alerting information in the form of logs and these should be captured separately and inspected for signs of suspicious behaviour on a daily basis.”

Green also notes that, although it is a basic requirement, it is often overlooked: you must change the passwords of the access control devices or surveillance cameras before they are connected to the network. “You should not use the same password as any other password that is used anywhere else in the network and it is a good idea to change these passwords on a regular basis. The other regular maintenance exercise should be to upgrade the access control or surveillance system software or firmware as indicated by the device manufacturer when such updates are released.”

Charl Ueckermann

Charl Ueckermann, CEO at AVeS Cyber Security adds that you must also ensure your systems are protected with the basic solutions used in the IT industry, namely:

• Endpoint security (antivirus),

• Perimeter security (firewall), and

• Advanced Threat Protection (APT) solutions.

Dealing with the threats

Ueckermann expands on this, noting that reducing cybersecurity risks depends on the alignment of your people, processes and technology.

• People: Ueckermann explains that every person that interacts with the IT system needs to have a certain level of awareness of what their roll and responsibility is, to prevent unnecessary cybersecurity risks. For example, if customers are not diligent with their passwords on either their alarm or CCTV equipment, they may be compromised. If an installer has only one master password for all his installations and that password is compromised, then all the good work at all clients is compromised. “Rather use a structured password associated to every unique site.”

• Process: Always do a structured risk assessment before deciding on a plan of action. Make use of installers that have a pragmatic and structured approach in how they assess risk. You can never eliminate all risks, but you can appropriately reduce risk.

• Technology: There is no such thing as free anti-virus or cybersecurity software, Ueckermann warns. Use industry-leading vendors that monitor the cybersecurity threat landscape by the second. This will be appropriate to ensure your systems are properly protected.

Green notes that one should have an awareness of the goals of would-be attackers. “These can fall into two main areas, namely internal attacks focused at compromising and utilising access control and/or surveillance devices to create a ‘beach-head’ to attack other areas of a business or organisation’s network, and external attacks in the sense that a compromised device can be used as part of an attack against other customers’ networks.

“In the latter case, the compromised device (sometimes called a ‘zombie’) may be loaded with malware that listens out for a remote command from the attacker. Upon receipt thereof, it proceeds to launch an attack on another network. These zombie devices effectively, and often unbeknown to the device owners, become part of the attacker’s botnet network and are collectively hijacked for purposes such as launching a distributed denial of service (DDoS) attacks on the attacker’s intended victim. DDoS attacks can be likened to the Internet’s version of a weapon of mass destruction.”

He says it is important to understand that there are both internal and external threat possibilities, and this means integrators, installers and end-customers must be aware that malicious traffic from compromised devices can be directed both internally and externally, depending upon the attacker’s possible objectives. “This means that the security design must ensure both possible issues are properly addressed.”

The irresistible mobile attraction

Young or old, it seems people today are hooked on their mobile devices all the time and as a result companies are making as much as they can accessible via these mobiles. Security is no different. And while the convenience of being able to control your security system from your smartphone rather than having to be onsite is undeniable, we all know that mobile devices are under attack too.

Green acknowledges that this is an area of growing risk. “Apart from the installation and integration risks previously highlighted, another set of risks is introduced once a user is granted external access to their security system. These risks are grouped around the issue of user authentication, i.e. ensuring that the user is properly identified before access is granted, and the issue of the security posture of the vendor providing the access service to its customers.”

Many users fall prey to issues such as weak passwords, using the same password to access different services, infected devices being used for access where malware on the device accesses the surveillance software and may use it to infect the system that is being accessed.

He suggests that companies should ideally use multifactor authentication for user access control and they should ensure that they use appropriately hardened software and implement a robust security design to defend against Internet-based attacks. “Companies should ensure that they have appropriate levels of security incident monitoring and responses in place to deal immediately with any form of attack detected on their service infrastructure.”

Ueckermann agrees that accessing your systems from anywhere does increase the level of risk; however, he says it is all about identity management. “Ensure that your passwords and cybersecurity software is appropriate for purpose. Consider using two-factor authentication like One Time Passwords (OTP) via SMS or smartphone apps to ensure your identity is well protected. This may sound difficult, but it is quite simple and cheap to implement lately.”

What harm is there?

An unfortunate argument we often hear about security and privacy concerns is “I have nothing to hide”. In the surveillance industry, some security operations would say that their CCTV operations only cover public areas so there is no need to protect this network as everything is happening in public and hacking into a camera view of your reception desk is not going to cause any problems.

But is this the correct opinion? Are hackers or criminals after a view of the reception desk or more? What can a criminal do if they gain access to a surveillance network, for example in a corporate building?

Green finds it interesting how often one comes across this perception. “The reason CCTV surveillance is in a public area is usually linked to the fact that public access is provided to something that should be secured. One only need think of public access to corporate buildings, monitoring of sensitive or valuable assets such as bank ATMs, or corporate perimeter defences. When the surveillance is compromised, both the detection and the recording of the event which will be used in post-event forensics is compromised and your would-be attackers are aware of this.

“By disabling CCTV surveillance, attackers buy time to carry out their intentions, reduce the effectiveness of response deployment and eliminate the usefulness of any CCTV records in identifying who they may be. On a more sophisticated level, the issue may not be so much about protecting the CCTV surveillance devices but the fact that an attacker with access to the network could launch an attack on other systems on the network itself. This should remind us that access to a public surveillance network must be protected in terms of the end-point devices such as CCTV cameras, as well as unauthorised access to the network as well.”

Ueckermann agrees and says the risk is mostly about financial gain. “If criminals gain access to your CCTV network, you might as well not spend your money on CCTV at all. CCTV is part of managing risk, and having it facing public areas gives you so much more reason to follow sound cybersecurity principles.”

Starting to secure your security

While there are many security vendors, installers and integrators that have adopted cyber-security practices as part of their normal business practices, the understanding of the risks and how to mitigate them is not standard in the industry. It may be time to develop some standard of the minimal skills required to ensure you have an understanding of cybersecurity threats and how to mitigate them. This does not necessarily mean the technical knowledge, but at least the ability to understand the risks and potential solutions.

Ueckermann says the basic level of understanding is to understand what it is that you are working with, create context of what the security tools do and how that will assist you to be safer. “For example, if you were issued or acquired a firearm, there are fundamental principles in how, when and where you would use it. The same applies to a CCTV system, for example. You don’t use a CCTV system to surf the net and go to dangerous web sites.”

Green adds that the biggest single security risk in any system is its users. “More than 80% of all cyberattacks are initiated through the exploitation of a user’s trust. This may be through social engineering exploits, phishing emails, and other ways that an attacker may get to establish a ‘beach-head’ on a corporate network. This means that cybersecurity cannot be relegated to the IT department, but must become part and parcel of every business’ overall culture from the boardroom to the canteen.

“Cyber awareness training and ongoing testing of user awareness should be part of a comprehensive programme to turn users into cyber-defenders in their organisations and homes, and should be underpinned with both policy and remediation plans, as well as incentives to make it worthwhile for staff to become active corporate citizens in the defence of their organisations.”

Back to PPT

As with all effective solutions in the physical security world, ensuring your solution is cyber secure is also a matter of people, processes and technology (PPT). If you do all three right, your solution will meet the requirements of the customer, if you start cutting corners and skipping steps, all you are doing is opening holes in the system that can be exploited. The terminology may differ, but effective cybersecurity requires the same thought processes as physical security: it doesn’t matter how much technology and how many guards are protecting the front of your house, if you leave the back door open you are at risk.

Converging physical and logical

By Dragan Petkovic, Security Product Leader ECEMEA at Oracle.

Oracle follows an in-depth defence philosophy where security is built into every layer of the particular system or organisation, extending into the physical world.

One of the key aspects of security in the converged world is governance and entitlement management. Oracle has delivered several projects where physical entitlements are managed in the same way as logical ones. For example, the governance of access to certain floors of a building can be managed in the same way as the access to certain roles of the application or the account management.

Another security aspect of the converged world is building security into management modules of the converged infrastructure. Solutions extend from database and application security all the way to the management and patching of smart devices. Ideally, security practices in the management of a business’s data should extend into the physical world too.

Finally, we are witnessing a massive proliferation of the Internet of Things and smart devices, which increases the attack surface and generates a tremendous amount of security events. Monitoring and analysis of those events should be automated using the latest trends and emerging technologies such as user and entity behaviour analytics (UEBA), machine learning and artificial intelligence.

For more information, contact:

• AVeS Cyber Security, 086 100 2837, www.aves.co.za

• Gold N’ Links Cyber, +27 (0)83 252 5727, [email protected], www.gnlcyber.com

Share this article:

Further reading: