May 11, 2020
Shrinking the Cyber Attack Surface by Hardening Physical Security Systems
Read Time / 5 min.
This blog post includes excerpts from a white paper by the same name. To download the full white paper, click here.
Cyber attacks are on the rise now more than ever – and with many people focused on sustaining their business, they may not be as vigilant about protecting their networks from hackers that could have a devastating impact on the company.
You may not realize that many of these attacks don’t start at a company’s network or server, but instead hackers focus on gaining entry through systems connected to the network, such as merchant services, Point of Sale (POS) systems, physical security systems and more.
These ancillary systems can easily go overlooked when it comes to making sure that firmware is updated, default passwords are changed and other simple measures. Thus, they can provide welcoming points of entry to a corporate network, leaving businesses unknowingly exposed to cyber attacks.
Fortunately, there are straightforward steps that can be taken to harden interconnected and networked systems, reducing vulnerabilities and the likelihood of a successful attack. These recommendations are based on an extensive set of cybersecurity best practices, as well as the recommendations of applicable standards bodies.
For convenience and clarity, the recommendations are organized by type, not necessarily by priority or importance. Evaluate the specifics of your circumstances to determine which steps are needed and in what order to prioritize them to support your business needs.
6 Considerations for Hardening Your Physical Security Systems
- Ensure that all software throughout the system is updated at all times, including device firmware.
- Consider automating the checking and updating process with automated authenticity verification safeguards.
- Establish and enforce a password management policy.
- No networked devices should continue to use default passwords provided by the manufacturer.
- Current best practices on passwords emphasizes length as a major security determinant. Longer is better.
- Implementing periodic password changes will also greatly enhance security throughout the systems.
- Failed login attempts, either by usernames or passwords, should be limited, investigated and locked out.
- Clearly define and determine the appropriate groups; differentiating between administrators, operators and users, and casual users and visitors.
- Each group should be assigned the system rights and privileges necessary for their assigned functions, and no more.
- VPN access should not be allowed for admin functions, diagnostics, or similar sensitive information or access.
- Rights and privileges should be reviewed and adjusted periodically.
Securely Architected Systems
- Security systems can be securely architected so that they can have a low-risk connection to the internet. Careful attention needs to be given to limit susceptibility to hacking attempts. Of course, end points (cameras) and other access points, and links to information networks need to be programmatically managed to automatically determine all system elements and exactly what is connected to what.
- Carefully curate all connections that support remote access.
- Wireless devices have vulnerabilities that must be managed as they could provide an easy gateway to physical security servers. Secure all wireless devices connected to corporate networks, including cameras, locks, printers and modems, so they cannot be accessed by unauthorized traffic.
- Implement logical separations for virtual local area networks (VLANs) and access control lists (ACLs) that instruct system elements to only allow access to specific authorized devices and to deny all other requests.
Endpoint Connections (including cameras, badge readers, control panels, security-related servers and video recorders)
- Hackers can gain access to the security network by plugging into a network cable that was installed to reach an external camera or plugging into open USB ports on security endpoints.
- Port security can be used to protect against such connections by providing an additional layer of protection to restrict unauthorized devices from connecting to router or switch ports.
- Port security makes use of the hard-coded MAC address of the authorized device, which unlike an IP address, is difficult to change. If a device is connected to a switch or router that doesn’t match the registered MAC address, then the system can block access to that device and raise an alarm for follow up.
Improving Cyber-Event Detection with Automation
- Many firms are short-handed when it comes to security. Many studies have reported on a global shortage of cybersecurity talent that is expected to continue.
- Automated system verification tools provide a powerful alternative that can provide a more consistent and better detection/alerting function to detect all types of security-related issues.
- Automation can also check and verify that the installed firmware and software is current throughout physical security systems.
- The most powerful solution is to programmatically check the integrity of the video streams and stored video files themselves to be sure that the system is operating as intended and that the video records are being stored as designed.
Cybersecurity threats are a real and present danger to any organization with networked security operations. While many companies have no plan in place to protect against the growing number of cyber attacks that target these systems, there are plenty of tools that can help them limit their vulnerabilities and better protect their business.
One such tool is STANLEY IntelAssure™, which automates some of the processes detailed in this blog post, detects and diagnoses device issues, identifies cybersecurity vulnerabilities and more. To learn more about IntelAssure or to request a demo, click the button below.