The crossover between IT and the security sector
We recently spent a day at IFSEC at the Excel, it was a useful trip to meet some contacts and attend some industry seminars.
The subject of one particular seminar was cyber security for security installers. Cyber security is a concept that is relatively new to a lot of installers and whilst it was good to see that IT security is starting to feature in the minds of staff outside of ICT departments, it is clear that there is still a very long way to go.
The seminar called for installers to use good password polices and to ensure that a firewall was in place to protect the client’s network. Some even said that installers need to demand that the equipment manufacturers only supply equipment which uses the most up to date secure protocols. Devices which use insecure ones such as SSLv3 should be put in the digital graveyard. This will ensure that the devices such as cameras cannot be comprised through known vulnerabilities or brute force attacks.
This is sound advice and I wholeheartedly agree that the installers should be demanding more secure equipment. It is the only way that manufacturers will improve their products. Manufacturers are not going to invest money in R&D if there is no perceived demand for it.
The problem I had was that they missed a major point; the point being prevention is better than cure. This means that the security devices should not be accessible to those that do not legitimately need access in the first place. I could go further and say that any physical product, such as an air conditioning system, should also take access security into account, making sure that even if there is a vulnerability in the way they can be accessed, it can never be exploited as the attacker never gets close enough.
To make the point, if remote access to a DVR system is required, it is quite common for the relevant ports to be opened so that the Alarm Receiving Centre (ARC) or whoever is going to be monitoring the security system can view the video across the internet. This is a reasonable enough request except that access should be tied down to a specific location or group of locations, something which does not always happen. This means that an attacker could keep attempting to access the devices again and again, unnoticed until access is gained. Good password policy would help here so would equipment that is secured against all known vulnerabilities but the unit would still be accessible from anywhere in the world. This is great for operational flexibility but not for security. Another key word here is ‘known’. There are some vulnerabilities that remain undiscovered for a long time, sometimes even years. Heartbleed is a particularly high profile one. This means that the device could be compromised by an attack that nobody saw coming. Now imagine it is not simply a camera they have suddenly got access to but a fire alarm system that can cause all locked doors to open when triggered – you can see where I am going here.
The most effective way to protect against this would be to remove the device from the network entirely; this however is neither a practical nor a good solution. One option would be to ensure that the port is accessible from a specific location (nailed down to an IP address). Another would be establishing a VPN between the client and the ARC but multiple VPN’s can become cumbersome and a pain to manage, not to mention making it more difficult for the installer to configure.
A better option would be to run this across a private network such as ProtectNet, which would keep things simple for installers as they would only need to plug the router in, and the devices would not be visible to the outside world to be attacked.
The second issue I had when listening to these seminars is that the threat from internal sources was completely ignored, which is somewhat ironic when you consider why a lot of cameras and access control systems are installed in the first place. Attacks may originate from inside the network too. This could be because you have a disgruntled employee or perhaps they are a victim of some sort of social engineering trick. If the security system is on the same network as the rest of the corporate network, an intruder working from inside may be able to access the security system. Again good password policies and keeping up to date with software patches will help here. However, the internal attacker still has time on their side to gain access as they are working undetected. To defend against this, it is important that security systems are isolated from the rest of the network. In an ideal world you would try and keep these networks physically separate. Another option would be to implement Secure VLANS with firewalls between networks so only those who need it gain access.
The crossover between IT and the security sector is now evident and as with the rest of IT, good network design can save a lot of pain in the future.
The seminars I went to were a good starting point and I appreciate that a lot of installers do not come from IT backgrounds, but the manufacturers and the industry as a whole owes it to their customers to make sure that their physical security systems are protected from digital threats. To ignore this aspect of the install not only risks the industry’s reputation but treats clients badly, who after all are buying these products to seek protection.