An ethical hacker explains how criminals can attack access control technology and ways in which they can prevent these attacks.
This article appeared for the first time in the sister publication of SSI. My technological decisions.
A decade ago, Valerie Thomas was doing a lot of network-based penetration tests. She was in and out of many places: critical infrastructure, government and business. She kept finding devices on the network and did not understand what they were. In fact, no one on the IT side really understood what it was, and the people who installed it did not really understand what they were doing on the network.
These elements were connected to physical security components, such as connected door controllers, access control solutions and video surveillance systems. A decade ago, people who owned the systems knew that integrators entered and connected them. They did not object, or they really asked why they were connected and how that would affect the network. Valerie sought to find resources to help her clients understand the security risks of these devices, but at that time there were none available.
We have come a long way since then, partly because of people like Valerie Thomas. Valerie is now known as an Ethical Hacker for Securicon, and she segments herself as a physical security enthusiast who prides herself on maintaining the boundary between the digital network and the physical security systems connected to it.
TO Securing new ground, an annual conference for the brightest minds in the security industry and the most important players, Valerie detailed the landscape of today's cyber threat.
"We are no longer worried about the twelve-year-old in his mother's basement, although some of those children in these twelve years are really sophisticated," says Valerie. "We are concerned about those who are well educated and well-funded, and that information (patents, intellectual property) are big goals."
Today it is important to change your vision of what an attack is: it is not only physical, and it is not only cybernetic, it is combined. Hackers do not focus on one thing, focus on several, and mix them until they get what they want.
They are also slow and calm. While television will lead you to believe otherwise, real access to a network is not gained in an hour. These types of attacks take weeks, months and even years.
End users struggle with this mixture of physics and cyber security for a number of reasons. One of the great reasons is that the person making the security decisions does not always have the IT background necessary to understand the network. On the other hand, IT departments often have little experience with physical security systems.
"I've been dating and talking to a lot of IT and cybersecurity consultants at conferences, and teaching them about physical access control and how to merge these two worlds," says Valerie. "We do not speak the same language, we do not really operate at the same pace, there are many challenges there, even just the knowledge base is different, when you say something like VMS in physical security, that means something so different to someone in IT."
IT people and cybersecurity are used to accelerate patch cycles and quick responses. They are being updated, updated, correcting, it really depends on what happens that day. If there is a vulnerability, they are in it. If you look at the physical side, in this case the components, once the material is implemented, do not touch each other very often. There are not many updates. Integrators do not always tell end users to update themselves, and end users do not always ask integrators if they are necessary.
The physical security industry is being attacked quite frequently. Worse still, manufacturers that once did not require network connectivity were quick to present products that their customers are looking for, ignoring or ignoring safety concerns along the way.
To complicate that, regulations have just been introduced into the security standards for smart devices. It is a perfect storm for organizations that only want a CCTV system that does not paralyze their business through a cyber attack.
How attackers see the cyber security of access control
Sometimes, the easiest way to attack a system is to have physical access to it. The difference between total control is minutes to hours when attacks can physically reach the device or the network.
In addition, obtaining the credentials of one of the owners of the system is much easier than doing the work to enter the system. So that's what the attackers look for first.
They are also looking for stealth. They do not want to enter, they cause a lot of chaos and then they come out. The point is to go unnoticed, and stay there. That way they can use the access themselves or sell it to the highest bidder. The dark web offers many places where hackers auction access to private companies.
Although she has not yet seen it, Valerie also suspects that cloned access to buildings, control of camera The systems and more will go to the highest bidder as well. Therefore, the attackers will not enter and start altering the systems just to show that they can do it. They will wait until the potential price for access is higher, then sell it to someone who wants to do real damage.
There is also the misconception that piracy is carried out at the same time. Actually, it takes several steps from the initial entry to the actual goal. As an ethical hacker, Valerie is paid to pirate buildings as an attacker would.
"We were able to use some long-range technology to gather the credentials of people we could go through. Our team had a range of three feet. We were able to collect credentialed data, write the same credentials and print them to look like the employee label, "says Valerie." That's how it started. We walked around the service station capturing credentials for a couple of days, we made some cards and we let ourselves in through the door. "
In this case, Valerie's team targeted the guard's workstations because they had access to the physical building, as well as the network. From there, they placed the keyloggers, they collected the pulsations, they returned early with the people who went to the gym and took the keyloggers.
As they had the credentials and the building had corporate WiFi, they sat in the parking lot to enter the network as a security guard. From there it was as simple as opening doors momentarily while his colleagues walked freely through the building.
It sounds like something out of a James Bond movie, but in reality this was something that people paid to anticipate what a hacker would do. Do not doubt for a second that the attackers are capable and willing to do the same.
Valerie has an annual contract with this organization, and each year they reinforce safety to try to tempt Valerie's team. To date, they have not managed to keep ethical hackers away.
5 tips for controlling access to cybersecurity
- Without default passwords: delete them, everywhere. They are in the documentation, they are easy to find on the Internet and the script to commit them is easy to write.
- Keep Testing – No interoperability tests. As a hacker, it does not matter if you can integrate with different teams. These devices must be locked, with strong passwords and proper equipment. If you do not have the right staff, that's fine. You can hire a consultant for what you need and be sure to move on with your typical staff once they leave.
- Vulnerability monitoring and reporting: if you do not have a process for this, there are many resources on the IT side about how to do this. You do not have to reinvent the wheel. There will be vulnerabilities in everything, there is no shame in informing them, but there is shame in keeping silence about them.
- Know the software of your hardware: many hardware platforms are based on the code of something else. Your engineer did not write them, they are open source or free. The problem with this, although it saves you money in development, also means that it inherits the vulnerabilities of the code that the engineer borrowed.
- Update awareness programs: if they are the same slides that your employees have seen each year, update them. The employees are their greatest vulnerability. They will be the objective. If you do not train them properly, they will pose a risk to your organization, regardless of what you do with the technology.