This article first appeared in Campus Safety’s sister publication My Tech Decisions.
A decade ago, Valerie Thomas was doing a lot of network-based penetration testing. She was in and out of a lot of places – critical infrastructure, government, and enterprise. She kept finding devices on the network and didn’t understand what they were. In fact, no one on the IT side really understood what they were – and the people installing them didn’t really understand what they were doing on the network.
These things were connected physical security components – things like connected door controllers, access control solutions, and video surveillance systems. A decade ago, the people that owned the systems knew that integrators were coming in and connecting them. They didn’t object or really inquire as to why they were connected and how that would affect the network. Valerie sought to find resources to help her clients understand the security risks of these devices – but at the time none were available.
We’ve come a long way since then, in part due to people like Valerie Thomas. Valerie is today known as an Ethical Hacker for Securicon, and further segments herself as an enthusiast for physical security that prides herself on holding the border between the digital network and the physical security systems connected to it.
At Securing New Ground, an annual conference for the security industry’s brightest minds and biggest players, Valerie detailed the cyber threat landscape of today.
“We’re not worried about the twelve-year-old in his mom’s basement anymore, although some of those twelve-year-olds these days are really sophisticated,” says Valerie. “We’re worried about those that are well-educated and well-funded. That information — patents, intellectual property — those are big targets.”
Today it’s important to shift your view of what an attack is — it’s not only physical, and it’s not only cyber, but it’s blended. Hackers don’t focus on one thing, they focus on several, and they blend them together until they get what they want.
They’re also slow, and quiet. While television will lead you to believe otherwise, real access to a network isn’t gained in an hour. These types of attacks take weeks, months and even years.
End users struggle with this blend of physical and cybersecurity for a number of reasons. One of the big reasons is that the security decision maker doesn’t always have the IT background required to understand the network. On the flip side, IT departments often have little experience with physical security systems.
“I have been going out and talking to a lot of IT and cybersecurity consultants at conferences, and teaching them about physical access control and how to merge these two worlds,” says Valerie. “We don’t speak the same language. We don’t really operate at the same pace. There are a lot of challenges there — even just the knowledge base is different. When you say something like VMS in physical security, that means something so different to someone in IT.”
Folks in IT and cybersecurity are used to quick patch cycles, quick responses. They’re continually patching, updated, fixing — it really depends on what’s going on that day. If there is a vulnerability, they’re on it. If you look at the physical side — in this case, the components — once the stuff is deployed, they aren’t touched very often. There aren’t very many updates. Integrators don’t always tell end users to update, and end users don’t always ask integrators if they’re needed.
The physical security industry is being targeted quite often. Worse still, manufacturers that once required no network connectivity are rushing to introduce products that their customers are looking for — overlooking or flat ignoring security concerns along the way.
To compound that, regulations have only just started being introduced on security standards for smart devices. It’s a bit of a perfect storm for organizations that just want a CCTV system that doesn’t cripple their business through a cyber attack.
How Attackers View Access Control Cybersecurity
Sometimes the easiest way to attack a system is to have physical access to it. The difference between total control is minutes to hours when the attacks can physically reach the device or network.
In addition, gaining credentials of one of the owners of the system is much easier than doing the legwork to enter the system. So that’s what attackers are looking for first.
They’re also looking for stealth. They don’t want to get in, cause a bunch of mayhem and then get out. The point is to get in unnoticed and stay there. That way they can use the access themselves, or sell it to the highest bidder. The dark web offers many places where hackers auction off access to particular companies.
While she hasn’t seen it yet, Valerie also suspects that cloned access to buildings, control of camera systems and more will go to the highest bidder as well. So attackers won’t get in and start messing with systems just to prove they can — they’ll wait until the potential price for access is highest, then sell it off to someone that wants to do real damage.
There’s also the misconception that hacking is all done at once. In reality, it takes several steps from initial entry to the actual target. As an ethical hacker, Valerie is paid to hack into buildings the way an attacker would.
“We were able to use some long-range technology to gather credentials from people we could walk past. Our equipment had about a three-foot range. We were able to harvest credentialed data, write the same credentials and print them so it looks just like the employee badge,” says Valerie. “That’s how it started. We walked around the gas station capturing credentials for a couple of days, made some cards and let ourselves in the door.”
In this case, Valerie’s team targeted the guard workstations because they had access to the physical building as well as the network. From there, they put keyloggers in, collected keystrokes, came back early with the people that went to the gym, and grabbed the keyloggers.
As they had the credentials, and the building had corporate WiFi, they sat in the parking lot to log into the network as the security guard. From there it was as simple as momentarily releasing doors as their colleagues walked through the building freely.
Sounds like something out of a James Bond movie, but in reality, this was something cooked up by people paid to anticipate what a hacker would do. Do not doubt for a second that attackers are capable and willing to do the same.
Valerie is on an annual contract with this organization, and each year they beef up security to try to stump Valerie’s team. To date, they haven’t succeeded in keeping the ethical hackers out.
5 Tips for Access Control Cybersecurity
- No Default Passwords – Take them out, everywhere. They’re in the documentation, they’re easy to find on the internet and the script to compromise them is easy to write.
- Keep Testing – Not interoperability testing. As a hacker, it doesn’t matter if you can integrate with different equipment. These devices need to be locked down, with strong passwords and proper equipment. If you don’t have the right staff, it’s alright. You can hire a consultant for what you need, and be safe moving forward with your typical staff once they leave.
- Vulnerability Tracking and Reporting – If you don’t have a process for this, there are many resources on the IT side on how to do this. You don’t have to reinvent the wheel. There will be vulnerabilities in everything — there is no shame in reporting them, but there is shame in keeping quiet about them.
- Know Your Hardware’s Software – A lot of hardware platforms ride on code from something else. Your engineer didn’t write them, they’re open source or free. The problem with this — although it saves you money on development — it also means you inherit the vulnerabilities from the code the engineer borrowed.
- Update Awareness Programs – If they’re the same slides you’ve made your employees look at every year, update them. Employees are your biggest vulnerability. They will be targeted. If you don’t properly train them, they will pose a risk to your organization regardless of what you do with the technology.