The New World
In the IT world, vulnerabilities are hunted and found as a matter of normal daily business by network research firms whose role it is to find vulnerabilities so that they can be fixed. They also perform penetration testing for their customers, who require verification that their own systems are being maintained at an acceptable level of security.
From now on, it will be the rule rather than the exception that hacker conferences will include one or more sessions on how to hack physical security systems-just like they contain sessions about hacking telephones, web servers, information systems, and so on.
Whether you are a manufacturer, a consultant, a systems integrator or an end-user customer-it is now critical that you begin paying attention to the vulnerabilities of the products and systems you provide or depend upon.
Q: How did Shawn Merdinger come to investigate the particular access control system?
A: His company was thinking of purchasing one. He was simply doing his job as an IT professional-ensuring that his company would not put itself at risk by installing a vulnerable product or system.
In a recent discussion with a product manager and a sales manager from one security industry manufacturing company, the product manager stated that he didn't think this kind of IT evaluation was very common. "None of our customers have mentioned this to us," he said. "You may be making more out of this than the situation warrants." I explained that in 100% of my global company clients the IT department evaluates all systems and devices that will connect to the network, including physical security systems and devices. I also informed him that I doubted his products would pass such an evaluation, because (a) the user manual shipped didn't fully match the product; (b) there was no installation guide (the company expected all installations to be performed by factory-trained installers); (c) the software user interface didn't follow the Microsoft Windows user interface guidelines (a significant defect in a 3-year old product); and (d) the online help was incomplete and inconsistent from window to window in the application. (Unfortunately these shortcomings are common to many industry products.)
I doubted that any of this company's customers performed IT evaluations, or they would not be customers! They would have selected a more qualified product from an IT perspective. However, even in those cases where IT is not involved in product evaluation, successfully selling a less-qualified product can reduce customer status (the status of the security manager in IT's eyes) when IT finds a product on the network that doesn't meet IT's standards, or isn't developed to professional standards.
Defensive attitudes on the part of manufacturers astound me-because that is backwards thinking. Who wouldn't want to have software that is very easy to use because it follows Microsoft Windows conventions? (I know there are Windows vs. Mac arguments on usability, so don't miss my point. Regardless of the operating system, the software should have very high usability for first time users.) Who wouldn't want to have a product that IT departments embrace because it is professionally developed and packaged, and can be easily evaluated? Who wouldn't want their security practitioner customers to impress IT by having selected a top-notch product?
Furthermore, what IT department wouldn't be pleased to have a "hardening guide" booklet or chapter in the product or system installation instructional material? Since there are no clear leaders in this area, any company with a sound product could take a leading position.
Right now, security practitioners can't go wrong assuming that all physical security systems are vulnerable as shipped from the factory. I was about to write that I know of no commercial off-the-shelf system that ships with specific instructions for secure network deployment or system hardening. Then I learned from my network research colleague Rodney Thayer that Firetide (www.firetide.com) did include hardening information in one of its installation documents-but buried in the midst of other things as opposed to highlighted front-and-center, as the industry needs.