Stop Lingering

Software updates hold the key to cyber security

  • By John Szczygiel
  • Feb 01, 2017

Security threats are on the rise and as IT security teams increase their scrutiny of all network-connected devices, it’s time for some new thinking about the design and maintenance of building security systems. Building security systems are inherently part of the Internet of Things (IoT), however they tend to be woefully neglected network devices. This point was underscored in a recent Distributed Denial of Service (DDOS) attack, which enlisted IoT and security devices into a robot army directed at the Internet services provider DYN. Many of these devices had fundamental design flaws or default passwords that made them easy targets.

Fixing the Flaws

Today, many building security systems contain embarrassing rudimentary cyber-security flaws. Many remain on the same software and firmware versions for years at a time—even when critical patches are available. Too frequently, companies adopt the practice of deferring software maintenance until the system breaks or a new feature is needed. Quite often, building security systems are running obsolete operating systems along with outdated application software and device firmware with known exploits. For example, some of the devices used in the DYN attack were running firmware that was years old with known vulnerabilities that had long ago been patched by the manufacturers.

Security systems installers are complicit in sustaining these conditions by failing to offer pro-active maintenance plans or properly advising customers of the need for regular system patching.

Security system manufacturers often compound the problem by making updates expensive or time consuming to obtain and apply.

And yet, our building security systems are becoming more connected via the network and Internet. While things on the Internet are changing by the second, building security systems may be stuck in the past. These factors make building security systems prime targets for miscreants astonished at the luck of finding a highly interesting plaything with such obvious flaws.

But in many cases this is not a technical problem; it’s mostly a focus and financial issue. It’s the same dynamic that causes governments to require annual vehicle inspections or health plans to require periodic physicals or Apple to give you so many annoying prompts to upgrade your iPhone.

Most people just don’t have the time, money or inclination to pay attention to maintenance. Unless we are compelled to do it, there is always a reason to avoid doing it. So there is the answer— we must be compelled to do it.

This position is validated by information published in Cisco’s Mid-Year Security Report 2016. This report details the major differences between the strong auto-update policies of the Google Chrome web browser and the weaker update policies associated with Microsoft Office. The strong Chrome “opt-out” update policy drives around an 80 percent compliance with updates. Meanwhile Cisco’s statistics show that most users of Microsoft Office stay for very a long time on their installed version, even when updates are available.

“Many large vendors are holding up their end of the security bargain by releasing notifications, fixes, and distributions of vulnerability patches in a timely manner. But this attention to patching is not reflected in end users—and, as a result, they are compromising the safety of themselves and their businesses.”—Cisco Mid-Year Security Report 2016

These facts point to the reality that security is strengthened through a process of evolution and also that many of us need a stimulus to evolve. To support this end we need an updated approach to building security system maintenance.

The Value of Convenience

As consumers, we value convenience, cost and functionality perhaps at the peril of cyber security, at least until there is an incident involving one of our services or devices. At that point, we will turn to the provider or installer of the device and accuse them of malfeasance in the provision and support of “their” system.

The provider can certainly be blamed for failing to implement good security hygiene in the design of the device. The installer is accountable for leaving default passwords and open ports configured. But who is accountable for failing to provide continuous monitoring, vulnerability assessments and maintaining patch levels for building security systems?

As Shakespeare wrote, “the fault my dear Brutus lies not within the stars, but within ourselves.”

How can the manufacturer be responsible for vulnerabilities discovered in underlying components long after the device is purchased? How can the installer be accountable for keeping systems patched and up to date when the customer chooses not to pay for routine maintenance? How can the customer be blamed for not wanting to upgrade with a working system and risk some type of failure or outage? How can anyone be blamed when there is an explosion of devices and software that need constant attention?

To stop the blame game from continuing within the security industry the path forward requires three essential changes to the typical approach to design, installation and maintenance of building security systems:

All parties need to increase their “cyber IQ.” Everyone from manufacturers to installers to customers needs to understand and appreciate how their choices and actions impact network security. Ultimately security is a set of choices inside a race of imagination. If we don’t work to understand the threat, we are choosing to fail before the race has even started.

We need to adopt business models that contemplate a living system versus a one-time sale. There is 100 percent certainty that a system remaining unpatched for months or years will eventually contain a known vulnerability. Everyone in the value chain needs to be prepared for this reality. Manufacturers must include security patches in subscription services, installers must insist on contracted maintenance and provide routine upgrades, customers will need to accept and pay for updates that are not driven by features.

A technical model that minimizes transition risk and makes upgrades almost invisible to the customer. This is primarily a challenge for the manufacturers. We have to learn from the Google Chrome model and find ways to update software and firmware with minimal cost and interruption. We must implement strong auto-update capabilities that are readily available and seamlessly installed. We must take responsibility to monitor our own devices to ensure that they are secure and not recruited to form a bot-net army.

Fortunately much of what we need to respond to these conditions is available to us today. Cyber security education is widely available to us. We can follow secure development practices as we create our products. We can perform continuous monitoring and vulnerability testing of systems while in production. We can deploy patches uniformly and quickly across numerous devices in a cost effective way without inconveniencing customers. We can have the discipline to avoid insecure products and practices when delivering our solutions.

Many industries have proven that all of these things are possible. Now is the time for the security industry to step up to this challenge, as we are compelled to do it.

This article originally appeared in the February 2017 issue of Security Today.

Featured

  • Empowering 911

    In the wake of the tragic murder of UnitedHealth Group CEO Brian Thompson, media coverage flooded the airwaves with images, videos and detailed timelines of the suspect’s movements. While such post-incident analysis is not new, today’s 911 centers now have access to similar data in real-time. This technological evolution marks a pivotal transformation in emergency response, transitioning from analog calls to a digital ecosystem capable of saving more lives. Read Now

  • Security Industry Embraces Mobile Credentials, Biometrics and AI, New Trends Report From HID Finds

    As organizations navigate an increasingly complex threat landscape, security leaders are making strategic shifts toward unified platforms and emerging technologies, according to the newly released 2025 State of Security and Identity Report from HID. The comprehensive study gathered responses from 1,800 partners, end users, and security and IT personnel worldwide, and reveals a significant transformation in how businesses are approaching security, with mobile credentials and artificial intelligence emerging as key drivers of innovation. Read Now

  • UK’s NHS Hospital Transforms Security with Edge-processing Camera System

    i-PRO Co., Ltd.,(formerly Panasonic Security), a manufacturer of edge computing cameras for security and public safety, recently announced that a leading teaching hospital in Northeast England, has enhanced its security infrastructure with i-PRO X-Series cameras integrated with Milestone’s XProtect Video Management Software (VMS). Read Now

  • Gun Violence Report Finds Retail Spaces, K-12 Schools Most Targeted

    ZeroEyes, the creators of the only AI-based gun detection video analytics platform that holds the U.S. Department of Homeland Security SAFETY Act Designation, today announced the release of its annual Gun Violence Report, offering a deep dive into the landscape of gun-related incidents across the United States. This analysis extends beyond mass fatality events, providing a more nuanced understanding of when, where, and why shootings occur. Read Now

Most   Popular

New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.