Securing Security: The Top Vulnerabilities and How to Solve Them
If you work for a large organization where it’s assumed that the business security solutions have been investigated and researched carefully or a small company with limited resources, as a security professional it’s unsettling to read headlines like, Equifax Data Breach Settlement: What You Should Know. Whether you had the foresight and funding to protect yourself from potential threats at the start or had to quickly respond to a specific incident when it arose, you’ve studied and purchased cameras, card access, electronic locks and cybersecurity software to establish a secure environment. But have you researched deeply enough to discover unexpected vulnerabilities that could allow your security solutions to be compromised? You should be actively, continually examining your system to protect it.
As indicated above, hackers continue to devise new ways to breach systems just like yours, so you need to stay ahead of the curve. The Target hacker gained access to Target’s database because a third-party vendor was deceived by a phishing email! There have been other infamous breaches through encrypted algorithms (Yahoo), employee credentials (eBay), in-store kiosks (TJX), GitHub (Uber), gaming accounts (Sony), and more. It’s worth mentioning that some hacks occur offline, as when hackers posed as people trusted by employees of RSA Security.
“There is a cost beyond the financial,” Brian Freeman, Prime Communications Inc’s (PCI’s) Vice President of National Accounts, reminds security and loss prevention officials. “The costs to your brand can be devastating. If customers aren’t confident their data is secure due to even a small breach, they’ll go elsewhere. And it can take a long time to regain their trust.”
Keep your company out of the headlines by discovering the vulnerabilities and understanding the solutions in the article below. Read on to unveil the top four vulnerabilities where your security system has the potential to fail.
Security Vulnerability #1: Cameras
An external video camera is a basic, necessary security component for almost every organization, but if it’s not properly configured it can present both physical and digital vulnerabilities. Cameras should be difficult to tamper with both physically and from a network perspective. The way that some external building cameras are mounted, you’d be surprised how easy it is for someone to simply climb a ladder and use the camera’s connection to hack into sensitive aspects of your business.
Security professionals often make mistakes with cameras from the very beginning – when they decide which one to buy. How much do you know about the camera manufacturer and model you are buying? Security camera resolution, field of view, and durability are all common selling points, but are you sure you know all the ways it can impact your network?
“People assume if they bought it from a security company it must be secure,” Shannon Neubauer, PCI Director of Sales Engineering explained. “It’s the little things that present a true risk, because you tend to take those things for granted.” He said one PCI customer previously hired an integrator to install a popular, inexpensive – but vulnerable – camera system. “That integrator didn’t advise the client that they could be significantly more secure with cameras that cost just a little more,” Neubauer said. “It’s critical to ask your integrator if the product you are buying has known vulnerabilities and an updated hardening guide.”
Some cameras have a back door through default setting making your network easily accessible. No matter how secure your passwords are, anyone who knows the default settings can get connected- no problem. These cameras are nothing less than an open invitation for access to customer information, financial information, and intellectual property. A couple of years ago, integrators became aware of this type of vulnerability in one of the most commonly purchased, most inexpensive cameras on the market, offered by a Chinese government-owned manufacturer.
To solve this problem, consider creating a security specific VLAN on your network. In addition, it is recommended to load 802.1X Protection Security certificates on your cameras. This requires authentication before allowing anything in, which prevents anyone from spoofing a MAC address. Make sure manufacturers are keeping up hardening guides and actively supporting firmware – Axis is one company that offers a robust hardening protocol to support customers into the future. According to Neubauer, it’s not uncommon for manufacturers to publish a hardening guide once and never update it. “Ask the provider what their plan is for supporting the device after it has been discontinued,” he said, suggesting life expectancy of any camera should be 7 to 10 years.
Another element necessary for wise camera management is video management software (VMS) such as that offered by Genetec, the only company that has been DHS certified for VMS seven years in a row. “Genetec adds a layer of security to encrypt video from the camera to the recorder, then to the workstation,” Neubauer explained. “If you don’t have the right software and authentication you will never see the video.”
Security Vulnerability #2: Protecting Other Physical Assets
In addition to cameras, every piece of hardware that comes into contact with your network can become a potential security threat.
Exposure 1: Thumb Drives
Thumb drives are a great example. Easy to come by and easy to move, a casually used thumb drive can take company files away from the secure bubble of your network or introduce unseen malicious programs. An employee may not see the harm in using a thumb drive from home or a trade show. They may believe your security system will find any vulnerability and notify them. But such a thumb drive is a device out of your influence and likely not up to your standards. Security breaches aren’t always caused by maliciousness. Hackers are very good at using social engineering to trick people into thinking they’re safe.
Exposure 2: IDF Cabinets
Whether malicious or careless, breaches through onsite hardware are distressingly common. IDF cabinets, for example, should be locked with an access control keypad and monitored with video so you know without a doubt who’s coming and going and when. You can require that all visitors to your control room are escorted by knowledgeable personnel. This not only deters malicious activity, but also ensures that unknowledgeable people won’t inadvertently take down the entire IDF.
Exposure 3: Removal of Obsolete Equipment
Technology, unfortunately, keeps changing, which presents another risk. Eventually, you’ll remove old components to make way for newer, better equipment. But just because you’re done with hardware doesn’t mean you can toss it out without a care in the world – sensitive data stored on it still needs to be controlled. Whether you intend to sell or destroy it, your disposal procedure needs to be thorough.
Whether it’s portable data storage that freely moves on and off of company premises or larger hardware that needs to be secured within your building, all devices that will connect to your network should be monitored. Your integrator should implement multiple security layers, from firewalls and anti-malware software to autorun and clearly defined network security protocols. You can’t expect every employee to have a professional-level understanding of security risks. Instead, you should establish tight protocols, implement firewalls and anti-malware to autorun, and communicate best practices to ensure no one brings anything harmful onto your network—intentionally or unintentionally.
“It’s a matter of when you will get attacked, not if,” said Neubauer. “A lot of vulnerabilities are low level, and companies have a tendency to sweep them under the rug. Other companies are on top of these types of attacks in order to mitigate financial and commercial risk.”
Security Vulnerability #3: Network Layers
Every network has multiple layers, and every layer presents a potential vulnerability- most security protocols encompass protections at only one or two common hardware and software points of access. Often forgotten is the potential for breaches inside the data tunnel from switch to user station.
If you have chosen the right integrator they can help you identify susceptible areas and calculate the costs of instituting additional security measures, such as network switches and cables. Keep in mind some cheaper network switches can’t accommodate measures like 802.1X certificates.
Network Security Best Practices:
- Use segregated V LANS so they are isolated from the rest of the network.
- Do not allow direct access for systems where it’s not needed.
- Do not allow remote access for systems where it’s not needed.
- Make sure the right security certifications are in place.
- Ensure firewalls and VPN connections are set up for cross-site communication, hardening of servers, and scans. Consider this as you expand your platform, get with IT, and understand exactly what’s needed to comply upfront rather than dealing with problems later.
Taking it one step further, don’t forget human relationships are a part of the chain of security. Neubauer explains, “It’s worth your time and effort to ensure loss prevention and security personnel establish strong, communicative relationships with IT staff who can help with testing on servers, ports, software and a whole litany of other items you might not even think of to ensure you are compliant with corporate standards.”
Neubauer suggests smaller companies can learn from larger companies who tend to have the budgets and personnel to implement more stringent security protocols. “Above all, when you talk with your integrator, ask them how they are going to do more than secure your front door.”
Security Vulnerability #4: Access Control – Letting the Right People In
Keeping the wrong people out of your building is an important goal of access control technology. But equally important and often overlooked is the goal of making sure the right people can get where they need to go quickly and efficiently.
“People have lost sight of why they bought access control,” Freeman said. “They just give everyone a card and say, ‘Come on in!” Companies often give vendors carte blanche to access whatever they deem necessary. He suggests, taking another look at access control protocols to identify potential gaps.
In particular, cards themselves often warrant a refresh. HID manufactures about 80% of the card readers in the world, and their traditional proximity readers use outdated 1980’s technology at a 125-kilohertz frequency that allows cards to be easily duplicated. Newer cards use IClass and SEOS technology that conducts an actual transaction, with the card number being sent back and forth before the cardholder is allowed to enter.
Neubauer said access control administrators often struggle to keep track of who has access to which areas or buildings. “With active directory integration, you can make one change to all locations and run reports to see exactly who has access.” Even large companies are guilty of allowing access too broadly. Neubauer urges security personnel to establish strict interpersonal protocols. For example, when people only need one-time access to a building, they should be required to request access through an official process, receive approval, and be programmed into the access control system for that building. Personnel responsible for system administration must take time to identify critical areas and decide who needs access regularly and who must request one-time access. In addition, the use of multifactor authentication can be used with pin numbers, biometric identifiers and or cards.
The best approach is to install a unified system, such as the Genetec unified platform, which can provide automation and integration of many different security needs to save time – and, in the end, money and possibly lives. A unified system might include automated doors, video, facial recognition and automatic notification of potential threats.
Look at Security as an Interconnected System
“Security isn’t a problem that can be solved just by addressing individual components,” Neubauer said. “To effectively secure your security, you have to look at your system as a comprehensive solution.” Every new device you add is an extra potential point of access to your entire network – especially in this age of IoT. New components don’t always mesh smoothly with old ones. Your system is constantly changing, and you must change with it to keep up with emerging risks.
Talk with your integrator. Make sure they are asking the right questions about your needs and providing a variety of solutions so you can balance cost with security level. Don’t leave it up to chance. Take the time to understand exactly what your risks are.
For more information about securing security and unified systems, contact one of our Business Development Managers at 402-289-4126 or firstname.lastname@example.org. For more information about PCI, a Security Business top-5 security integrator, visit www.primecominc.com.