Tech Trends: Hack Attack

Oct. 9, 2014
Open your eyes to the impact of cybersecurity on integrators, manufacturers and beyond

Recently, I was included in an extensive e-mail thread initiated by Bill Bozeman, CEO of the PSA Security Network, which obviously struck a chord with the many people who were included on it. In part, he said: “We are at the beginning of what I perceive to be a major finger-pointing blame game in our niche as related to cybersecurity. Who is at fault if physical security devices are hacked and information that was incorrectly assumed to be secure by the end-user is stolen? Will the manufacturer be held accountable, the integrator or the consultant?”

Bill’s questions were spurred by an article that explained how two security researchers at the recent Defcon hacker conference were able to hack into a municipal wireless network, map out the surveillance cameras and obtain the information needed to get into the cameras. In addition to manufacturer information being visible on the physical devices, the 802.11 wireless communication links were unencrypted — although they were later upgraded to WEP encryption, which is only a marginal improvement.

As we have all come to realize, hacker tools are impressive and, quite often, one or more steps ahead of the available means to defeat them; however, the above situation is virtual child’s play for anyone even semi-skilled in the art of penetration and hacking. Wireless networks — many of them critical — are out in the open, where signals can be detected for purposes good and bad. Why make it easy for the bad guys? Turn off the SSID broadcast, use WPA2 encryption, change from default passwords, turn off SNMP if not being used, etc.

But let’s turn back to Bill’s question. I’m not a lawyer, but one of the first things I would expect one to ask is, “Were all reasonable precautions taken?” Most reputable security device manufacturers put security features into their products — for example, many contain a provision for 802.1x-based authentication, which requires an authentication server.

I recently asked my friend James Marcella of Axis how many technical support calls they get about 802.1x, and he responded (paraphrasing) “Not any. We’re still trying to get our users to change from default passwords.” Using the features that are currently provided in these products represents a good start and begins to up the ante on the measures needed to penetrate a security system. In addition to changing from default settings, simple measure may include turning off SNMP (or, if using SNMP, changing settings from default or using SNMPv3, which is encrypted), tightly managing permissions and using encryption features when available and feasible. At a deeper level, use of authentication protocols and periodic penetration testing raise the bar further.

Regular engagement with IT as a component of overall security strategy is essential. Once the end-devices have been locked down and secured, the network infrastructure is the next logical area to focus on. Security professionals should make it their business to learn about this technology — firewall settings, network access control, VLAN security, etc. Consider studying for the CISSP certification (Certified Information Systems Security Professional), which touches both the information and the physical domains.

Potential manufacturer’s liability is being mitigated by building strong features into products, such as two-factor authentication implementations. This responsibility extends to VMS vendors, too, so that the security features of cameras don’t get compromised by the system managing them. IT manufacturers would do well to focus on end-security — device, server, storage and network. And all should concentrate on highlighting, sharing, and training their channels and customers on secure device installation and operation.

Bill and his team at PSA are assembling a Cyber Security Executive Advisory Council to provide input and direction for the PSA cyber security training program, their newest education initiative — of which I was invited to join. I applaud Bill for being proactive in addressing this critical area.

Ray Coulombe is Founder and Managing Director of SecuritySpecifiers.com and RepsForSecurity.com. He can be reached at [email protected], through LinkedIn at www.linkedin.com/in/raycoulombe or followed on Twitter @RayCoulombe.