Avoiding a Black Swan Event through Authentication

Sept. 8, 2017
The emergence of hackers targeting electronic security systems is recent and ominous

Ask yourself:  How can you keep your company and its clients off the evening news as a victim of cyber crime?  Given the speed at which disparate security technologies are rushing towards a hyperconnected world, are you ready?  There is a menacing velocity of threats, internal and external, increasing exponentially.  Is your organization fully aware and prepared to mitigate the growing risks tied to thousands of network-centric, IoT and integrated devices? 

More importantly, has the solution designed and installed to protect your people; property and information become a Trojan horse?  And when this unanticipated Black Swan event occurs, how do you explain this to your board?

Does authentication save you?  If it does, what does it look like?  Are best practices alone your salvation?  Or is it technology?  Who is responsible for it?  Is it the manufacturer?  Or is it the third-party providers of development code used by manufacturers?  What part does the integrator play in their obligation to help mitigate risk for their customers?  And how much responsibility should the end-user be prepared to bear?  The answer is simply everyone plays a part.  Not surprisingly, best practices and technology play dual roles in the implementation of authentication strategies. 

Best practices have an enormous impact on authentication.  Given the myriad platforms, players, risks, and threats, best practices and focused leadership will set the tone of the organization and create a culture of awareness.  Policies and procedures addressing the questions authentication raise should be designed to monitor and manage the obligations and activities of all players including, IT departments, consultants, manufacturers, and integrators. But given the nature and size of large physical security systems, technology and automation are required in order to scale activities to meet the sense of urgency we must all adopt in order to maintain a proactive authentication posture.  According to Ray Bernard, President and Principal Consultant of Ray Bernard Consulting Services and a subject matter expert, “Machine to Machine (M2M) authentication will become a leading factor in IoT.”

Organizations are waking up to the fact that the most attractive attack surface for hackers is becoming the physical security system.  Physical security is most evident at the edge of the network, often in unguarded and exposed places.  It is connected to a network but typically without oversight by the IT organization.  Whether breached by physical means (inserting an infected USB stick) or by cyber means (using network connectivity to download a virus), physical security systems are being used to attack organizations.   

In other words, the biggest security liability right now for many organizations may be their own security system.  F5 Labs calls IoT devices the “cyber weapon delivery system of choice”.  Stronger methods are available today to ensure that security systems are protected from compromise.  But what is lacking is the urgency and focus for those methods to be used pervasively. 

Real-life examples are not hard to find.  Two wake-up calls to the industry include the recent Mirai and Persirai botnet attacks which hijacked IP security cameras to launch distributed denial of service (DDoS) attacks.  Adding fuel to the fire is the recent Devil’s Ivy vulnerability.  A recent Panasonic White Paper entitled, ‘Just how secure is your video surveillance?’ claims that 60 percent of all video cameras have not changed their default passwords.  This leaves them open to compromise and manipulation. 

Brandon Arcement, Director of Product Marketing at HID Global, commented, “While network attacks can happen at the controller, relative to the video space, attacks on access control systems are not as common -- because the attack surface is smaller today.”  Even so, these DDoS attacks are not the first.

In almost every type of organization, there are serious damages done to the organizational mission when security is compromised.  Shrinkage increases in retail markets. In education, Clery Act violations can be impacted. And in healthcare, Medicare reimbursements can be withheld for failing critical risk assessments. Elsewhere, regulatory certifications can be threatened.

As problems grow, real actions are needed to address them.  The impact of not taking action can already be seen in the documented costs associated with data breaches.  According to the 2017 Cost of Data Breach Study: Global Overview sponsored by IBM and conducted by Ponemon Institute:

  • The average cost of each data breach for 419 companies surveyed was more than $3 million per occurrence. 
  • The average cost for each lost or stolen record containing sensitive and confidential information was $141.
  • It is estimated that organizations in this study have an average probability of 27.7 percent of having a material data breach again in the next 24 months.
  • Note: the faster the data breach was identified and contained, the lower the costs were associated with the loss.

These are in addition to damages to brand, workplace disruption and other legal and financial liabilities. 

Half-hearted Strategies

It’s fair to say that efforts are being made, just not enough or of the right kind.  For example, most devices on a physical security network today have self-test “health check” capabilities.  These tests are useful but can give a false sense of security.   While all the “self-tests” come out looking good, the reality might be that a condition between or in a combination of the devices is causing a failure. 

Another way that helps but is insufficient is spot-checking the system to look for issues or concerns.  The vulnerability this exposes is because a malware agent is usually pretty good at hiding itself until it is activated.  Also, the manual effort involved in camera checking does not scale for many organizations.  Even if it did, the efforts expended are almost always more costly and logistically challenging.

A third approach is for organizations to restrict connectivity, such as through only using on-premises software that does not require any external Internet connections.  While this sounds good on the surface, the reality already seen is that the malware agents can be installed in a variety of ways.  USB sticks, VPN access, onsite technicians and even “Trojan Horse” types of malware embedded in other systems can lead hackers through a secret tunnel to compromise the security system.

The Proactive Authentication Solution

Given that current approaches are insufficient, what would the correct solution look like?  In many ways, it would look like current cybersecurity solutions (the ones that protect IT infrastructure but not security infrastructure).  The attributes the solution must have included:

Automation: The number of cameras and access control devices; network connections, servers, applications and storage that make up a modern physical security system make manual methods inadequate.  Not only would the data have to be manually gathered.  More importantly, the analysis of that data into possible failure conditions would take a lot of people a long time.  Automation also provides a “set it and forget it” approach, which is critical for ensuring 24/7 that the security system is secure. 

Proactive: Bud Broomhead, CEO of Viakoo, shared in a study they conducted in early 2016 “It typically takes a few days from when a problem is found in physical security systems (mean time to identify, MTTI) to when it is corrected (mean time to correct, MTTC).  That kind of reactive approach gives potential hackers both access and time to take advantage of a crippled security system.”  As many recall, drug lord El Chapo tunneled out of his Mexican prison long before his guards discovered him missing. 

Scale: Corporate networks know no borders. 

Forensics up-front: Knowing when a security system is vulnerable to attack is one thing, but equally as important is having a fix to vulnerability as soon as possible. It’s critical to have a security system instrumented in such a way that forensic analysis can be done in-line with detection.  In other words, ubiquitous data gathering must be designed into the security system.  Only then can data be analyzed for how, when and where the problem appeared and how to correct it.

Scientific proof/metrics: Just as video evidence is only usable in court if there is a chain of custody, the integrity of a security system can only be judged if there are scientific methods used in data gathering and analysis.  Likewise, by using standard metrics like VPU (video path uptime) or bandwidth used across different locations for CCTV systems, anomalies can be detected that would point to potential breaches in certain locations.  For example, in a retail environment, one would expect low bandwidth utilization when the store is closed.  A store showing activity outside of normal hours would be flagged in the metrics and action can then be then taken. 

At a high level, physical security leaders should be thinking about the digital nature of their security systems in order to craft the right solution.  One such concept gaining a foothold in the IoT (Internet of Things) space is the digital twin: https://en.wikipedia.org/wiki/Digital_twin

By capturing real-time metadata across the physical security network (not the video or access control data), such a digital twin can be used to authenticate the integrity of the system.  This will not interfere with its actual operations.  The digital nature of today’s physical security systems makes such a twin not only practical but essential.  It allows for deep understanding and deep interrogation of a security system to authenticate and verify it has not been hacked.  

If there is one imperative that you gain from this article it’s that now is the time to act.  The emergence of hackers targeting electronic security systems is recent.  Historically, when hackers embark on a new approach, they keep using it for several years.  Think of phishing, DDoS attacks, clickjacking and other attacks.  They all have had relatively long lives from when they first emerged.  Taking action now allows you to use system and data verification technology to proactively understand when hacking is taking place.  It puts you in a position to respond quickly.  By working with leading security integrators, manufacturers and other technology providers, there are ways today you can prevent your organization from appearing on the evening news as yet another victim of cyber crime.

About the Author: Eddie Meltzer is Founder and CEO of Security Cloud & Mobile Partners.   A 30-year veteran of the electronic security industry, Meltzer is an industry champion for big data analysis of security operations.  He is a subject-matter expert in service and support programs as well as global business development, cloud computing, and authentication methodologies.  He welcomes your calls at 816.215.9398 or email him at [email protected] visit his website: www.securitycloudmobile.com