Best Practice is best for a Reason

Best Practice is best for a Reason

  • By Jeff Nigriny
  • Jan 25, 2021

We are still learning the extent of the impact from the SolarWinds hack across the 33K customers who used their Orion software. Just as we are working to fully understand the impact, we are still learning the mechanisms employed to carry it out. While we may never know the full extent of either; there are some early lessons learned.

The attackers were able to leverage legitimate credentials for malicious purposes, unchecked, for months - possibly longer. With these credentials, they gained administrative access and were able to move laterally on all affected networks with relative ease. The latest trend in cybersecurity is zero trust, which, at its core, means everyone should be authenticated at all times, regardless of who they are or where their device sits on the network.

Traditionally, in cybersecurity, any device or user already inside the network is presumed ‘safe’ for cost savings and user convenience. An assumption which, ultimately, aided the SolarWinds perpetrators.

By contrast, zero trust is inherent to physical access because it is expected that every person in the company, from the CEO down, will badge through a barrier for entry each time. Just because someone gains access through the front door, that does not mean they have been authenticated to pass through other doors in the building. Even more, most PACS operators would not consider using a system that did not provide anomalous credential usage reporting. Even residential security systems employ this.

In physical access, just like cyber security, there are credentials for individuals, devices and servers. Most obvious are the proximity or smartcard-based cards and tokens used to interact with door readers. Now, there is a shift to making these keys virtual, stored on mobile devices scanned optically or sent wirelessly.

Some of these credentials are behind the scenes, authenticating communication between system components. Identity credentials, serving as keys, are throughout access control. In cybersecurity, a credential is a key that opens a lock a lock, as well. The distinction between identity credentials and keys, physical tokens and virtual ones, even physical and cyber security are all blurring – becoming the same thing.

Yet, when it comes to monitoring of these credentials, physical and cybersecurity focus on monitoring the locks alone, which does not provide 100% situational awareness. The keys must be monitored, as well. The SolarWinds hack reminds us that attackers are most dangerous when they can use legitimate credentials for malicious means unchecked.

Over the past decade, there has been a transition from less secure authenticators like passwords and proximity badges in cyber and physical security to higher assurance networked credentials that can be used simultaneously in both physical and logical access control systems. Not only must credentials be closely monitored, but equally as important, is the monitoring of the credential issuers. The ‘credential network’ that supports the security of an organization’s data network provides valuable insight into the risk associated with accepting certain types of keys.

We see this concept in action in other industries – for example, credit card companies mitigate fraud with similar monitoring practices. Our transactions are monitored for anomalous usage, issuing banks for batches of compromised cards and so on.

Consumers take for granted the existence of this monitoring, feeling safer that their identity is secure or at least their financial exposure is reduced as a result. High assurance government and commercial credentials were created as a network backed technology with this type of monitoring in mind.

Security suffers where assumptions are made. Do not simply assume a credential is valid because it is genuine; instead, continuously monitor the trustworthiness of your entitled users’ credentials. The stakes have never been higher and cyber and physical security depends on using all the capabilities at your disposal, the best practices from all corners of security, whether traditionally physical, cyber or financial.

About the Author

Jeff Nigriny is the CEO of CertiPath.

Featured

  • From Surveillance to Intelligence

    Years ago, it would have been significantly more expensive to run an analytic like that — requiring a custom-built solution with burdensome infrastructure demands — but modern edge devices have made it accessible to everyone. It also saves time, which is a critical factor if a missing child is involved. Video compression technology has played a critical role as well. Over the years, significant advancements have been made in video coding standards — including H.263, MPEG formats, and H.264—alongside compression optimization technologies developed by IP video manufacturers to improve efficiency without sacrificing quality. The open-source AV1 codec developed by the Alliance for Open Media—a consortium including Google, Netflix, Microsoft, Amazon and others — is already the preferred decoder for cloud-based applications, and is quickly becoming the standard for video compression of all types. Read Now

  • Cost: Reactive vs. Proactive Security

    Security breaches often happen despite the availability of tools to prevent them. To combat this problem, the industry is shifting from reactive correction to proactive protection. This article will examine why so many security leaders have realized they must “lead before the breach” – not after. Read Now

  • Achieving Clear Audio

    In today’s ever-changing world of security and risk management, effective communication via an intercom and door entry communication system is a critical communication tool to keep a facility’s staff, visitors and vendors safe. Read Now

  • Beyond Apps: Access Control for Today’s Residents

    The modern resident lives in an app-saturated world. From banking to grocery delivery, fitness tracking to ridesharing, nearly every service demands another download. But when it comes to accessing the place you live, most people do not want to clutter their phone with yet another app, especially if its only purpose is to open a door. Read Now

  • Survey: 48 Percent of Worshippers Feel Less Safe Attending In-Person Services

    Almost half (48%) of those who attend religious services say they feel less safe attending in-person due to rising acts of violence at places of worship. In fact, 39% report these safety concerns have led them to change how often they attend in-person services, according to new research from Verkada conducted online by The Harris Poll among 1,123 U.S. adults who attend a religious service or event at least once a month. Read Now

Most   Popular

New Products

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.