Security Systems: Insecure?

An excellent timely post by Geoff Kohl in the SIA Newsletter.? Great advice for Physical Security practitioners.?

Here’s a quick summary (with my comments bulletised):

Imagine having to confess (in headline news) that a former employee was able to get into your surveillance system because, the passwords hadn’t been rotated!!!?        

Human Element as the Weak Link

Attackers often exploit human vulnerabilities, such as phishing, social engineering exploits, poor password hygiene and tailgating.?

• Helps, if basic cyber-hygiene practices like password rotation can be automated.

Technical Attack Vectors

Poor security architecture: Issues like systems being directly internet-accessible.

• Of course, count on InfoSec to audit and catch most of these, but again, audit & compliance platforms like those that catch ssh, ftp kind of settings can make InfoSec breathe easy.

Security through obscurity: Ineffective if devices can be found despite attempts to hide them.

• Or even worse, there are rogue devices that are on your network that you didn’t know exist! As a practitioner, I get asked questions around “how do I get basic visibility?”, “How do I catch those stray devices on my network”, etc., "How do I get a digital assets ledger etc.,"

Unpatched vulnerabilities: Exploited by attackers to gain access to systems.?

• This, we find is one of the biggest bottlenecks to making security systems, secure.?
• How do I know what are the vulnerabilities?
• Across my thousands of devices, and dozens of vendors, I have many, many packages to be deployed as patches – how’s it humanly possible to manage?
• How does one assess risks patterns across these multitude of devices, running Windows, Linux etc.,?

Botnets and DDoS attacks: Botnets are used to overwhelm systems, with attacks increasing in volume.

• This being a consequence of not following basic cyber-hygiene practices, how does one “mitigate” – for example, isolate a compromised set of devices or send a command to shut them off?

Defense Strategies:

Education and training:? Emphasize cybersecurity awareness to prevent social engineering attacks.

Implement policies for strong, unique passwords and multi-factor authentication.

• Easily said than done - our customers' comment.? We need tools that help with compliance and audit of violations – a crying demand in the industry today

Technical measures like network segmentation, traffic encryption, and properly managed accounts.

• Rotating passwords, ensuring devices have certificates that are used in communication etc.,

Avoid default credentials and enforce secure configurations from the start.

• Absolutely!!! How does one audit and ensure compliance – please, please point us to tools that accomplish this – an ask from our customers.?

Cybersecurity by Design. Manufacturers should:

Assume that security will not be implemented correctly by default.

Enforce password changes and secure configurations before allowing system use.

• Covered elsewhere.? Security BU stakeholders, CISOs and CIOs struggle to enforce such basic, cyber-hygiene practices in an automated, compliant way.? And ensure there is a robust “audit” kind of tool that is enterprise scale, widely deployable and something operational technology owners, CISOs and CIOs can rely on. Of course, throw in AI/ML for the discussion to be complete!!!

Train or hire specialists in cybersecurity to address the gap in knowledge among generalists.

• The bad news is that such experts are in huge short supply.? PhySec teams are just not getting that kind of budgets.
• The good news is that with GenAI kind of tools, some platform vendors have made it very easy for teams to understand the underlying platform usage in a “just in time”, “query-able in simple English” formats.