The phrase goes, ‘as much as things change, they stay the same’. In our increasing use of IP enabled technology and exploitation of the benefits of cyberspace, this applies too, writes Mike Gillespie, of info-security trainers and consultants Advent IM and a director of the Security Institute. He’s a speaker at the next ST17 conference at Glasgow on Tuesday, September 5. Visit www.advent-im.co.uk.
Because when it comes to the firmware or operating systems in our physical security equipment, there are always manufacturers prepared to ship their product, knowing it is either potentially or definitely, insecure from a cyber security perspective. That means they are open to attack. We have a lot of learning to do about the security of security products and as more and more become web- or IP-enabled, we have a responsibility to know how to install, manage and maintain them securely. But if the firmware in the equipment that has been sent from the manufacturer is already vulnerable, then not only will there be issues in installing and running it securely but it can create vulnerabilities that go way beyond a camera or entry system. So, on the surface, nothing has changed; the product is shipped as it always is, then installed as it always is, but this is where things start to change. This vulnerable equipment can be hacked, or used in an attack on a supply chain partner, or as part of a wider infection, such as we saw with the Mirai botnet attack, that used video surveillance systems, amongst other things to facilitate a massive internet denial of service attack. So yes, it is more convenient to run our systems over the net but the problems that this can bring about, are being completely ignored by a number of manufacturers and responsibility left with the end user. Buyer beware.
What do we mean when we talk about vulnerability? The firmware itself might be vulnerable. There are known vulnerabilities that either the manufacturer has failed to address and repair, or that a firmware update has been made available yet the end user has failed to implement it Often, there is no effective strategy for rolling out updates to this firmware by the manufacturer. This effectively means that if it was shipped vulnerable and the installer and end user do not know about the vulnerability, it will remain vulnerable to attack indefinitely. Sometimes the vulnerability is known about, sometimes for a year or more and yet manufacturers continue to ship the kit, regardless.
No man is an island, and nor are today’s security systems. Most systems now will feed back to an integrated security management system (SMS). These SMS consoles, like any software, need to be kept up to date, with security patches being applied anytime a particular element is found to be vulnerable. Yet, how often do manufacturers actually send out software updates for security purposes?
It’s not just about manufacturers; if they are legitimately informing their buyers and end users that there are vulnerabilities, are their warnings being taken in hand and the patches applied as they should be? It might well be that all patching in an organisation is handled by the IT security team but the patches are not issued to them as the system is a physical one. Who is going to handle the patching regime therefore for the physical systems?
Why am I posing all these questions, you may be wondering? Well, because we have seen with the recent outbreaks of ransomware, what happens when these systems are not properly patched, even when a patch has been issued. In the news, we learned that even after Microsoft issued emergency patches for obsolete systems following the WannaCry outbreak, some places still did not apply the patch and so were vulnerable to the next ransomware attack which we know as Petya.
It is also equipment like routers and switches, equipment that forms the communication backbone of our distributed and integrated security systems that need to be maintained in this way. Cisco discovered that of 115k of its routers, 106k were not running up to date versions of the software, despite updates having been issued. So, we can see that yes, some manufacturers are clearly to blame; shipping vulnerable kit and not updating security, but some users are also to blame for not using the patching and updates supplied by manufacturers. There are no good reasons to allow a system to remain unpatched and outdated.
Portals into systems need to be considered too. If we look at Target retail in the US, it was attacked through a maintenance portal for its air-conditioning system, ultimately enabling the loss of millions of debit and credit card details and costing Target dearly. So many of our security and building management systems now have remote access enabled for management and maintenance purposes. Insecure access portals provide an ideal easy way in for attackers, not just to the system itself, but to every system it’s connected to, and even in some cases to the corporate crown jewels.
Finally, what about the maintenance organisations themselves? How secure are they? How good is their security culture? All organisations that access you through cyberspace need to have your security in mind too and understand if their own firmware, routing and infrastructure is compromised so too is that of every organisation they supply to.
So think about things like CCTV or video surveillance images, where are they stored, how are they transmitted, what system is in place and how are they secured both in transit and at rest. You also need to understand what happens to them once their retention period has expired. It is no longer about securing your own organisation, any more than it is only about IT systems. Our businesses and our supply chains are like ecosystems now. If we appreciate the benefits of this and want to continue to increase agility and efficiency then we need to understand what we systems we are buying and how we are managing them. The bad guys are just waiting to capitalise on bad security or manufacturers that ship security without security …
