Focus on Physical and Cyber Linkages

Focus on Physical and Cyber Linkages

  • By Bud Broomhead
  • Feb 01, 2021

All the discussions in recent years about the “convergence” of physical and cyber security have fallen short in one crucial area. The arguments about how best to organize the departments, set the budgets, and who should report to whom have not succeeded in making organizations more secure. Network penetrations are still happening, doors are still being propped open, and ransomware attacks are still succeeding.

As recently as December 2020, the federal government confirmed perhaps the largest and most damaging cybersecurity breach in history, and the most sobering thing about that breach is that we still do not know the intentions of the attackers. Instead of organizational debates, leadership at every organization should be squarely focused on preventing security breaches of all kinds, and engaging the entire team with processes and actions to work toward that result.

Physical Security Vulnerabilities Are Cyber Vulnerabilities
We now know that physical security devices – including not only cameras but also every networked device that is part of these systems – is a potential entry point for cyber attackers and breaches. Physical security devices are themselves IoT devices (Internet of Things) and designed to access networks. But while most IT departments have specific processes for protecting networked PCs and similar organizational devices, the same is often not the case for physical security IoT equipment.

For example, unlike with traditional computers or mobile devices, there are no built-in mechanisms to address new vulnerabilities that are discovered after physical security devices are placed in service. Often the devices are installed with out-of-date firmware that is vulnerable to known attack methods. This is one reason why physical security systems are the #2 most successful attack surface used by cyber criminals to breach an organization.

Even worse, the problem is quickly becoming bigger – the number of connected devices that could compromise network security is increasing at a phenomenal rate. The consensus of a number of market analysts is that the number of network-connected devices will exceed 25 billion within the coming year – and that more than half of those devices will be unmanaged and/or IoT devices. Examples of the devices in this category include not only security cameras, but also VoIP terminals, printers, point-of-sale terminals, medical devices, and many more. These devices will greatly outnumber the traditional enterprise devices such as PCs and servers, as well as managed BYOD devices such as tablets, smartphones, and laptops.

Protecting Physical Security and IoT Devices
Taking action to protect these devices from unauthorized access also helps to protect your entire network. Protecting an IoT device involves reducing the device’s attack surface by eliminating or hardening points of attack, especially for these three areas of vulnerability:

  • Logon credentials
  • Firmware vulnerabilities
  • Digital certificates used for device ID and data encryption

Let’s look at proactive strategies for each of these areas.

Logon Credentials
Logon credentials, such as for security video cameras, are especially vulnerable in high device count deployments because it is hard to conform to good password practices using a manual management process. Typical risky practices include the use of default, repeated, or shared passwords across groups of devices, and delegation of password management to service firm technicians.

A good strategy would be to use automated tools to ensure that default passwords and easily-guessed passwords are not allowed, while requiring secure (i.e. HTTPS) network connections to ensure that passwords are not transmitted over the network in plain text.

An even better strategy would be to use an automated password management application to harden all connected IoT device logons. In this way, unique names and passwords can be assigned to each individual device, while also providing a single sign-on capability so that human users require just one set of logon credentials to access any device, which could be enabled as-needed for short periods of time and be cancelled when user authorization ends.

Firmware Vulnerabilities
Experts have predicted that by 2022, 70% of organizations that have not implemented a firmware upgrade process will be breached due to firmware vulnerabilities. Recent studies of ransomware distribution methods also implicated compromised firmware as a common infection vector.

It is critical for an effective network security program to incorporate sound firmware management. A strong program would include, for example, automation to track current device firmware versions with a cross-reference matrix documenting compatibility with each application that uses the devices. It would incorporate the ability to quickly update device firmware as new firmware versions are released, and it would maintain a log of when firmware updates were performed and by whom for verification of compliance to security policies and practices.

Digital Certificates
Public key encryption based on digital certificates is the strongest known form of encryption, and increasingly used in IoT systems. In a network-based IoT system, such as a security video surveillance system, digital certificates are used for:

  • Identification of each specific device
  • Authenticating that the device is not an impostor
  • Allowing the secure exchange of encryption keys

For a strong protection strategy, digital certificates should be set to expire at intervals that make sense based on their use. If a certificate has been compromised without discovery, expiration shortens the length of time that the compromise can be used to advantage by an attacker. Many organizations with strong security postures rotate their certificates frequently to minimize their risks – and again, automating certificate management is a protective strategy for the effective management of large scale intelligent device deployments with hundreds or thousands of devices.

Moving Forward
We encourage every business, and every security provider, to review their security stance and move forward to improve their processes to make use of available security and management automation. Automation can be used to efficiently and effectively manage firmware, certificates, and passwords at scale – these are the critical linkages between physical and cyber security that can either deny hackers access, or provide an easy entry point. Increasing your attention and proactive prevention efforts on these linkages will not only improve your safety and security, but also provide a path for easily showing that these devices are in compliance to cyber security protocols.

Featured

  • Seeking Innovative Solutions

    Denial, Anger, Bargaining, Depression and Acceptance. You may recognize these terms as the “5 Phases” of a grieving process, but they could easily describe the phases one goes through before adopting any new or emerging innovation or technology, especially in a highly risk-averse industry like security. However, the desire for convenience in all aspects of modern life is finally beginning to turn the tide from old school hardware as the go-to towards more user-friendly, yet still secure, door solutions. Read Now

  • Where AI Meets Human Judgment

    Artificial intelligence is everywhere these days. It is driving business growth, shaping consumer experiences, and showing up in places most of us never imagined just a few years ago. Read Now

  • Report: Only 44 Percent of Organizations are Fully Equipped to Support Secure AI

    Delinea recently published new research on the impact of artificial intelligence in reshaping identity security. According to the report, “AI in Identity Security Demands a New Playbook,” only 44% of organizations say their security architecture is fully equipped to support secure AI, despite widespread confidence in their current capabilities. Read Now

  • Interface Systems Enhances Safety and Communication at Texas Church and School

    Interface Systems, a managed service provider delivering business security, actionable insights, and purpose-built networks for multi-location businesses, today announced the successful completion of a major security upgrade for Bethesda Community Church and Bethesda Christian School in Fort Worth, Texas. Read Now

  • ASIS International Introduces ANSI-Approved School Security Standard

    ASIS International, a leading authority in security standards, is excited to announce the release of its American National Standards Institute (ANSI)-approved standard designed to provide a framework for developing, implementing, maintaining, and improving school security. The first comprehensive standard of its kind provides a critical benchmark for assessing and improving a school’s security posture regardless of size and funding. Read Now

Most   Popular

New Products

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles.

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.