A year ago, in a column here entitled The Security Industry World Has Changed, I wrote: “The security industry now functions in a new world — one where companies who release networked products and systems that are not ready for safe deployment will find that their customers quickly become aware of it.”
That column provided information on two hacker’s conference presentations about security system vulnerabilities. One was a brand-name security video system, the other a brand-name access control system. Links to videos and presentation material can be found at: www.BPforIP.com/news.html.
I was recently asked the question below by an end-user, and the assumption behind the question astounded me. However on further thought, and based on manufacturers’ common assertions, the question states a natural assumption.
Q: Aren’t most security systems pretty secure now over the network?
A: Apparently not, according to hard evidence.
IP-Based Card Readers Compromised
Recently, network researchers Michael Gough and Ian Robertson made a video for the BSides regional security event that took place in Austin, Texas, in March. The video chronicled how they easily unlocked the reader-controlled doors at an association swimming pool, using a small application written for an Android phone.
The targeted access control system is one that is remotely managed via the Internet, which is how they accessed it. But the system would have been just as vulnerable through a hard-wired network connection, for example, through a clubhouse network outlet connected to the same network as the access control system. See the video along with links to related information: www.BPforIP.com/news.html.
I am often asked why the majority of manufacturers in this industry do not seem to care about network security and network architecture compatibility for their customers. I do not have a good answer for that, at least not a kind or charitable answer. Typical tradeshow responses range from arrogant dismissal, to unsubstantiated assurances, to blank stares. Every time I have asked the “Why don’t you care?” question at tradeshows I am always told that the company does really care. If that is really the case, then where is the evidence? We should see it in the products and services, and in their documentation.
For example, last week I talked to a company whose “About Us” Web page claims “recognition” and “notable accomplishments” in networking and information technology. The company recommended a network architecture for its product deployment that was completely incompatible with the client’s planned network architecture — a diagram of which I had sent well ahead of our phone call. So I listed for myself the possible reasons why such an off-base recommendation would be made by a company:
• The sales engineer does not understand typical enterprise networking.
• The product development team is software-savvy but not network-savvy.
• The sales and engineering people in the call did not look at the network diagram ahead of time.
• The product is poorly designed, and as a result they are locked into a specific network architecture that they always recommend.
• Their installed base is sufficiently small that they have not encountered any enterprise-class networks in the field.
• They have not surveyed the market landscape to determine what kinds of network environments their product would have to be deployed into.
• They have not worked closely with any knowledgeable security technology design consultants.
• The vendor naïvely assumes that an extremely simple network architecture would naturally “just fit” into an enterprise network environment.
Not all of these reasons are likely to apply to every manufacturer; however, I was able to figure out that the majority of them did for this particular company. I have had similar experiences with other companies small and large. How could there be such a mismatch between company capabilities and actual results?
This made me realize that silos can exist in companies of every size. Maybe this is why the management folks and the engineering folks at many companies do not have a good understanding of the customer deployment environments and how their products fall short, including with regard to cyber security.
On the other hand, some companies definitely are paying attention. Brivo Systems has paid extensive attention to the secure engineering of their service offerings. PlaSec has a long standing engagement with Veracode, a company that tests the security of ISV (independent software vendor) applications. Firetide includes information in their installation guide on how to harden their network. A few other companies have made similar good moves, and I’d like to hear from those who have that I didn’t mention.
One final thought: the computer and network security spotlight continues to be focused brightly on security industry products and services. When the spotlight shifts to your company, what will we see?
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information Write to Ray about this column at ConvergenceQA@go-rbcs.com. Mr. Bernard is also a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).