Banks confront the insecurity of physical security

Sept. 26, 2019
Systems used to keep financial institutions safe are now increasingly vulnerable themselves

While many organizations have only recently woken up to the threats presented by malicious actors online, cybersecurity could be considered something of an old hat within the financial industry. Historically, financial institutions around the globe have been and continue to be the most frequent target of cyber-attacks due largely to how the data pilfered from banks can obviously be monetized.

The Carbanak cyber gang, for example, was able to steal nearly $1 billion, according to some estimates, from more than 100 financial institutions in 2014 via a phishing email campaign. But while most banks, by and large, have invested heavily in network security and protection against the traditional threats posed by hackers with regards to data breaches, ransomware schemes and the like, there looms perhaps a greater threat on the horizon in the form of the Internet of Things (IoT) and the increasing number of periphery devices finding their way onto the corporate network. This also includes video surveillance, identity and access management, and other physical security systems that are critical within the day-to-day operations of financial services firms.

These technologies, which were once analog-based and largely segregated from the other IT systems, have transitioned over to IP and are becoming a greater cybersecurity threat themselves. And the risks posed by these systems, if left unsecured, are not mere theory but have already been well-demonstrated in several cases.  

The Risk Landscape

For example, thousands of unsecured IP cameras were leveraged as part of the Mirai botnet, which was used to launch distributed denial of service (DDoS) attacks to take down several prominent websites. And, a vulnerability dubbed “Devil’s Ivy” was discovered by security researchers in a number of connected security cameras which, if exploited, would have allowed an attacker to remotely access a video feed or deny end-user access to a feed. This discovery immediately sent shockwaves throughout the security industry and raised questions about other potential vulnerabilities lurking in physical security devices.    

However, with the proliferation of the IoT, a significant portion of which is comprised of security sensors, this problem is only going to grow. In fact, according to research firm Gartner, just over 8 billion connected devices were in use in 2017 and that is forecast to grow to over 20 billion by 2020. 

What Can Be Done?

From an overall network security perspective, locking down physical security systems and their associated devices may seem like small potatoes compared to the near-continuous battle banks are engaged in today trying to protect customer data from the likes of cybercriminals and even nation-states. However, physical security and video surveillance, in particular, is a requirement for banks to be able to operate and anything that jeopardizes the integrity of that equipment or turns it into a potential entry point to the larger network for hackers must be immediately addressed.

The problem for most banks is that they already have thousands of cameras deployed throughout their various corporate offices and branches, which makes trying to address cyber vulnerabilities a tremendous challenge. Let’s take the typical branch surveillance deployment, for example. There is usually a mix of both existing analog cameras and IP cameras, along with an encoder, network switch, and an NVR that is connected to the network. The NVR, switch, encoder, and IP cameras all have firmware that may need to be updated to mitigate potential cyber risks and most of them also typically have usernames and passwords that could be exploited by hackers. The prospect of trying to update these devices individually on a site-by-site basis presents a logistical nightmare, which makes having some type of centralized management utility a must.

Following the discovery of the Devil’s Ivy’s vulnerability, the auditors at one bank immediately sent a request to the corporate security department looking to find out exactly how many cameras on their network were at risk to it and who the manufacturers of the cameras were. With a few mouse clicks, the security team was able to generate a comprehensive report listing the affected devices. Such a capability would have been impossible without a central management tool.

Aside from deploying a centralized management utility, other steps that security managers at financial institutions should take to mitigate cyber threats to their physical security systems include:

  • Regular Technology Refresh Cycles: Although many banks today replace computers and other IT hardware every three to five years, the same cannot be said of their security equipment. Security devices, like other technologies, are changing very fast which means vendors are phasing out certain pieces of equipment quicker and will eventually stop supporting them. Getting buy-in for a technology refresh can be challenging but unlike the days where these systems had to be purchased outright, numerous suppliers now offer leasing programs for their equipment and software, shifting the cost to operational expenditure placing the onus for maintenance back onto the vendor and/or integrator.
  • Check and Perform Firmware Updates: Manufacturers today are routinely updating their products to ensure they’re protected against the latest threats. Unfortunately, many organizations are still woefully lagging when it comes to applying patches to impacted devices.
  • Practice Good Password Hygiene: Network security experts have written at length in recent years about the need of organizations and their employees to leverage strong passwords and the same thing can be said with regards to periphery devices, such as cameras and NVRs. Oftentimes, however, the passwords being used on these devices are still the default ones that came with them from the manufacturer or were changed to something simple like “123456” or “password.”         
  • Leverage MAC Access Control Lists (ACLs): Many people within IT security departments at financial institutions are concerned about the potential of an unauthorized user gaining access to a camera switch at a bank branch, plugging in a laptop and infiltrating the network or introducing vulnerability to periphery devices themselves. ACLs allow end-users to detect the MAC address of an IP camera and should it be unplugged, subsequently block any other device from connecting to it.  

When the notorious bank robber Willie Sutton was asked by a reporter why he robbed banks, he was famously quoted as saying, “because that’s where all the money is.” While there may be some debate today as to whether or not Sutton actually uttered those words, the statement still rings true to the motivation of most bank robbers, whether they be physical intruders or cybercriminals. Given the microscope financial institutions are under when it comes to protecting consumer data, allowing technology designed to protect the organization to become an Achilles’ heel is unacceptable and must be addressed with a sense of urgency.          

About the Author:

Alex Johnson is the Senior Director of Analytics and Strategy for Verint.