Networked security systems have a variety of vulnerabilities, and even standalone systems are not vulnerability-free. Security system networks can also have unique vulnerabilities that do not occur with business networks. The questions below were posed during a tech lab at ISC West around best practices for protecting IP-based security systems (www.BPforIP.com), where you can download two white papers relating to this topic. In this issue's column, I'm posing questions for you, the reader, to answer.
Q: The corporate network is being attacked from an internal location. Your security systems are connected to it. How do you respond?
One security practitioner I know received such a notification; however, this would not happen for most companies, given the typical project-based level of collaboration between Physical/Corporate security departments and the IT department. Security systems could be affected without the Security department knowing what was going on.
What condition would warrant Security being notified of a probable network attack? What response procedures would you follow? Most security technologists have not thought through these kinds of scenarios.
Q: A disgruntled employee has just taken out a lobby security camera with a taser. This also took out the network switch the camera was connected to. What should you do next to protect your security systems in this kind of scenario?
Starting a few years ago, as part of security risk assessments, I and a few other security consultants began using Internet searches to help determine the likelihood of attacks that formerly would only be known about by people with special training. During one security assessment, a facilities engineer stated that he thinks every so often about the easy access to the transformers on the edge of the property, because it would be easy to take them out using a particular technique (using a $3.00 item purchased at a hardware store). He said, "I don't think it's a serious concern because only trained engineers know about this vulnerability."
An Internet search instantly brought up a link to a Web page where the girlfriend of an engineer, who is a member of an activist group, described the attack in detail, including the $3.00 item needed. She wrote, "Use this approach to selectively take out power to specific facilities, rather than taking down an entire area, which might include hospitals or other healthcare facilities. You want to target businesses where loss of life is not the likely result."
Learning about the camera taser attack, I did an Internet search on that topic, and found a YouTube video showing how to make a taser from the type of disposable photo camera available at most drugstores. So what I thought was an attack that required the purchase of special equipment, turned out to be not-so-expensive.
Rodney Thayer, CTO of Secorix (www.Secorix.com), performed lab tests using a Graybar lighting arrestor connected between the camera and the network switch. Directly tasering the camera did not take out the network switch when the lighting arrestor was installed.
Most integrators that I know use fiber modems to connect to outdoor cameras, specifically due to lightning vulnerability. Additionally, this keeps the network connection inside the building. However, I do know of two Bay Area high-tech companies that have installed network cameras outside their buildings, with a network connection going right to the camera. This is like opening an outside door to the server room, as far as the network switch is concerned.
Another important point about lightning vulnerability is that the power behind a lightning strike is considerable. A lightning strike to a network camera connected by copper cable may very well take out a series of network switches, not just the first connected switch. And there is also the life-safety risk of impacting a technician working on any of the connected equipment.
Q: How would your IT department respond to a network attack that is coming from inside a facility, behind the corporate network's external firewall? How would they detect, assess and respond to such an attack? Do you have equivalent technical and procedural measures in place, either through security department capabilities or by a service agreement with IT?