9.9.24 – SIW – Geoff Kohl
Thanks to the Security Industry Association (SIA) Cybersecurity Advisory Board, we know about some of the common field implementation errors that can lead to the cyberhacking of a physical security system, but how exactly do the hackers attack such systems?
We asked these same experts that question to get a sense of what they’ve seen in the field.
Bruce Webbe of Meta’s security team said that, unfortunately, there’s not just one common attack vector to look for.
“I don’t know that there is a limit to the imagination of the attackers and their methods for attempting to gain access to these systems,” said Webbe. “There are many facets to which compromise can happen. Unfortunately, we need to guard against them all, which can seem a bit overwhelming at first.”
“The methods used by bad actors will be based on their goals and what has been found to be most successful: Are they attempting to gain access? Are they attempting to disrupt? Not knowing who they are and what their goals are makes it very difficult to anticipate what methods they may be likely to use. So, we must take the approach that a threat can come from anywhere at any time. Even intentional or unintentional internal threats need to be assessed.”
As Webbe said, “The weak link tends to be us humans.”
Allied Universal’s Rachelle Loyear agrees.
“It’s still most often the human part that’s the most vulnerable,” she says, explaining why hackers have such a high success rate.
“Phishing and social engineering attacks, like spear phishing, are designed to steal credentials or deploy malware by tricking users into providing sensitive information, so educating users about the dangers of phishing and how to recognize suspicious emails is crucial. Credential sharing and poor password practices, such as using weak passwords, can lead to unauthorized access, so implementing policies for strong, unique passwords and using multi-factor authentication can mitigate this risk. Additionally, even with all the best access control in the world, piggybacking, where unauthorized individuals gain access to secure areas by following authorized personnel, can compromise physical security, making it vital to train employees to recognize and prevent such activities.”
i-PRO Americas’ Will Knehr would concur that it’s humans and their accidental oversights which can lead to hackers finding a way to snag their proprietary information. He tells the story of a simple human process failure that led to a significant privacy breach.
“There was one customer we worked with that didn’t change the passwords on the camera system after an employee was let go,” said Knehr. “He used the remote login to the video system to watch them before they finally figured it out. He would send text messages to his old coworkers about events that had happened at work. They couldn’t figure out how he knew.”
Other Ways Hackers Can Get Your Information
We asked the SIA Cybersecurity Advisory Board members to detail other attack vectors you can expect. Here’s where they would point you:
Examine your security architecture and avoid taking a “security through obscurity” approach says Josh Chin, CEO of NetForce.
“The most common attack vectors currently are poor security architecture of security technology systems (such as making them directly internet accessible), default credentials and security through obscurity,” said Chin. “Most of these issues can be solved if field installation teams and end users work with cybersecurity and infosec teams and help them to understand the security technology systems and lean on their expertise. We have seen a few instances where individuals try to ‘obscure’ the location of these security technology systems devices and think they’re capable of hiding these devices – only to be identified down the line. Security through obscurity only works if you can’t be found.”
Beware distributed denial of service (DDoS) attacks, said i-PRO’s Knehr.
“Common threat vectors include DDoS attacks, which can overwhelm systems and disrupt operations; spear phishing, which targets administrators to gain access to sensitive systems; and exploitation of unpatched vulnerabilities,” Knehr said. “Security technology systems, such as access control, video surveillance and command centers, are increasingly being targeted due to their integration with IT networks, making them attractive targets for cybercriminals seeking to exploit both physical and cyber vulnerabilities.”
Protect yourself from bot attacks, advises John Gallagher, vice president of Viakoo Labs. He said these botnets are the method hackers will likely use to implement the aforementioned DDoS attacks.
“Among the many threat vectors that can impact a physical security system, the ability to plant bots within devices without them being detected is one that is underappreciated. Botnet armies are housed within security systems (Mirai being the most famous of these), yet most integrators and end users don’t care and don’t try to find them. Yet these botnets are why DDoS attacks are growing in velocity and volume. Many organizations that have not yet tied their user authentication to their corporate identity management systems (e.g., Active Directory) are open to having credentials stolen or leaked, and thus providing access to the security system.”
How to Defend Yourself Against Hackers
One thing all the SIA Cybersecurity Advisory Board experts agreed on is that there needs to be more focus on cybersecurity and awareness of the industry and that ultimately knowledge is your best defense against hackers.
“A change in our workflows is needed to keep us from becoming vulnerable, assure we’re following good practices and help us break bad habits,” Webbe noted. “Education on this topic will help us be aware of the risks, best practices to follow and identify which habits need breaking.
In addition to the education and awareness training, which can be particularly helpful to defeat social engineering types of attacks and methods like phishing, Webbe adds that you do have to begin with some fundamentals: “Starting with a foundation of some basics such as network segmentation, traffic encryption, system resiliency, properly managed accounts/passwords and vulnerability mitigation, among others, helps reduce the risk and deter bad actors.”
SIA offers such training, with its Security Industry Cybersecurity Certification (SICC) Review Course delivered in person and virtually throughout the year and designed specifically for team members working in systems integration and other technology-focused security services. SIA is also delivering a collection of courses on cyber and IT fundamentals produced with CompTIA through its online learning management system, SIAcademy. The new courses dive into topics like network topologies, public key infrastructure, wireless encryption standards, virtual private networks and dozens of other essential topics necessary for anyone working on networked security systems.
Build in Cybersecurity From the Start
NetForce’s Josh Chin says that besides training and awareness initiatives, there are some fundamental technical changes that can be made by manufacturers and software/platform vendors that would promote cybersecurity by design.
“To prevent these errors,” said Chin, “manufacturers must assume that integrators, end users and developers will not implement or develop their solutions securely. Developers who code their solutions must have verbose, well-thought-out system requirements so that as developers design and develop any product, it is developed with security in mind from the very start. That means leveraging security frameworks and reference documents such as the OWASP Top 10, assuming your product or solution will be attacked by an adversary logically and thinking not just about ‘use cases,’ but also about ‘abuse cases.’ Treat all inputs and interactions from any end user, authorized or unauthorized, as hostile.”
Chin challenges the vendor community to force change in a cybersecurity posture to minimize the impact of hackers.
“Why is any security solution being sold and shipped today not forcing an integrator or end user to change the password before they are allowed to configure the device? Instead, why are we shipping out security solutions with default usernames and passwords or allowing easily guessable passwords and that they can continue using the device with default or weak passwords? We all know the importance of usernames and passwords, yet we still allow end users to configure and operate devices with passwords such as ‘password,’ ‘admin’ and ‘123456.’”
Chin also said that unfortunately, general awareness training won’t solve all a company’s cybersecurity risks and that many companies will need to invest in cyber specialists, either by deeply training existing team members or by hiring those skills.
“The biggest gap in field installation teams are individuals learning and understanding cyber (logical) risks and cyber risk management. Physical risks are very different from cyber risks. We can teach them lots of technical skills, such as networking and security features of a product; however, we must be mindful that most will be generalists. Cybersecurity and cyber risk management will require specialists, and employers must invest in their talent to be specialists.”
Geoff Kohl is the senior director of marketing for the Security Industry Association. This piece was originally published on ISC News and is reprinted with slight editing with permission from the author.