Security Systems: Insecure?

View post on linked-in

An excellent timely post by Geoff Kohl in the SIA Newsletter.  Great advice for Physical Security practitioners. 

Hereโ€™s a quick summary (with my comments bulletised):

Imagine having to confess (in headline news) that a former employee was able to get into your surveillance system because, the passwords hadnโ€™t been rotated!!! 
Human Element as the Weak Link

Attackers often exploit human vulnerabilities, such as phishing, social engineering exploits, poor password hygiene and tailgating. 

  • Helps, if basic cyber-hygiene practices like password rotation can be automated.
Technical Attack Vectors
Poor security architecture: Issues like systems being directly internet-accessible.
  • Of course, count on InfoSec to audit and catch most of these, but again, audit & compliance platforms like those that catch ssh, ftp kind of settings can make InfoSec breathe easy.
Security through obscurity: Ineffective if devices can be found despite attempts to hide them.
  • Or even worse, there are rogue devices that are on your network that you didnโ€™t know exist! As a practitioner, I get asked questions around โ€œhow do I get basic visibility?โ€, โ€œHow do I catch those stray devices on my networkโ€, etc., “How do I get a digital assets ledger etc.,”
Unpatched vulnerabilities: Exploited by attackers to gain access to systems. 
  • This, we find is one of the biggest bottlenecks to making security systems, secure. 
  • How do I know what are the vulnerabilities?
  • Across my thousands of devices, and dozens of vendors, I have many, many packages to be deployed as patches โ€“ howโ€™s it humanly possible to manage?
  • How does one assess risks patterns across these multitude of devices, running Windows, Linux etc.,?
Botnets and DDoS attacks: Botnets are used to overwhelm systems, with attacks increasing in volume.
  • This being a consequence of not following basic cyber-hygiene practices, how does one โ€œmitigateโ€ โ€“ for example, isolate a compromised set of devices or send a command to shut them off?
Defense Strategies:
Education and training:  Emphasize cybersecurity awareness to prevent social engineering attacks.
Implement policies for strong, unique passwords and multi-factor authentication.
  • Easily said than done – our customers’ comment.  We need tools that help with compliance and audit of violations โ€“ a crying demand in the industry today
Technical measures like network segmentation, traffic encryption, and properly managed accounts.
  • Rotating passwords, ensuring devices have certificates that are used in communication etc.,
Avoid default credentials and enforce secure configurations from the start.
  • Absolutely!!! How does one audit and ensure compliance โ€“ please, please point us to tools that accomplish this โ€“ an ask from our customers. 
Cybersecurity by Design. Manufacturers should:
Assume that security will not be implemented correctly by default. Enforce password changes and secure configurations before allowing system use.
  • Covered elsewhere.  Security BU stakeholders, CISOs and CIOs struggle to enforce such basic, cyber-hygiene practices in an automated, compliant way.  And ensure there is a robust โ€œauditโ€ kind of tool that is enterprise scale, widely deployable and something operational technology owners, CISOs and CIOs can rely on. Of course, throw in AI/ML for the discussion to be complete!!!
Train or hire specialists in cybersecurity to address the gap in knowledge among generalists.
  • The bad news is that such experts are in huge short supply.  PhySec teams are just not getting that kind of budgets.
  • The good news is that with GenAI kind of tools, some platform vendors have made it very easy for teams to understand the underlying platform usage in a โ€œjust in timeโ€, โ€œquery-able in simple Englishโ€ formats.