Insider Intelligence: Tug of War

As standoffs emerge between IT and physical security departments, integrators are caught in the middle


In light of the trials involved, I asked the question, “What is a realistic initial approach to cybersecurity for integrators?”   Both Washington and Uliana insisted that without the proper education on information security process and practices, the integrator will struggle to address common customer scenarios and concerns on this front.  Consider the following examples they offered:

 

Field Challenge #1

I am a systems integrator. I know the product, but do not have a full understanding of the environment or use case in which it will be used. You don’t know the interdependencies of the security product, the network infrastructure, nor the threats that can be exploited against the system.

Real-world example: A systems integrator comes into a facility to upgrade an access control panel. During the process, he uses a weak password, (i.e., the building’s zip code) for the entire facility’s security functions. Attackers recognize this as one of the top ten possibilities password ‘possibilities’.

Repercussions: A hacker goes in, steals the password and changes all of the addresses and configurations denying access to everyone.

Who’s involved: Installer, IT Security Integrator, Building Management, and Physical Security Management.

What you need to know: The types and methods that attackers use to guess passwords and to implement strategies that will decrease the likelihood of occurrence of something like this happening.

 

Field Challenge #2

I am a systems integrator and lack the foundational knowledge of internet protocol addressing, sub netting and configuring gateway addresses on devices that are connected to the corporate IT network.

Real-world example: A systems integrator configures an IP camera to a reserved IP address that was connected to a gateway system that the company uses to transmit electronic data securely to other locations.

Repercussions: This address conflict created a loss of service and disruption within the IT network that was difficult to trace and resulted in hundreds of thousands of dollars in lost productivity and man hours required to troubleshoot, identify and resolve the issue.

Who’s involved: Installer, IT Security Integrator, and IT Department.

What you will need to know: The system integrator needs to thoroughly understand configuration and change control management within IT systems and the processes that are required to perform installation verification, performance measurement validation and installation quality management validation.

Field Challenge #3.

The systems integrator has a lack of knowledge and training into single sign-on (i.e. when a user uses a single password that logs them in to multiple systems – both physical and logical) and how to introduce the proper interfaces that pull user information and identity information into the systems that they are deploying for security purposes.

Real-world example: Managing new employee on-boarding and access privileges.

Repercussions:  when an employee is terminated, and fails to turn in their credentials, their access remains active allowing physical intrusion to go unnoticed, resulting in possible consequences in loss of life, theft, and damage to company assets.

Who’s involved: Human Resources Dept., Installer, IT Security Integrator, IT Department

What you need to know:  When a new employee is on boarded and issued an access card, the systems integrator needs to know how to copy and manipulate this data that is entered from the HR system into the database that is used to grant new employee access to controlled areas.

 

While the complexity of cybersecurity may intimidate the security integrator, both cyber and physical security objectives should be harmonized into a common set of organizational goals and priorities. As the market continues to evolve to network-based technologies, the integrator must be knowledgeable about emerging capabilities and must obtain training and real-world experience to effectively recommend the best-fit solution for their customer.

 

Barbara Shaw, CPLP, is Director of Education at PSA Security Network. Learn more about cybersecurity and Physical Security with Washington and Uliana, along with other subject matter experts at TEC 2014 presented by PSA May 5th-9th 2014 (www.psaTEC.com)