Because You Can Never Be 100% Cybersecure

Effective use of strategies for countering attacks can minimize risk

When was the last time you changed your password for your online bank account? Your email? Your social media accounts? How about your online shopping accounts or the myriad other login credentials that make up your digital life? Has it been a few months? Maybe a year? Hopefully, it has not been longer than that.

This article is not meant to be a treatise on password protection, but rather a wake-up call for security professionals who are used to evaluating risks in terms of probability and severity. Specifically, the article will urge you to apply your current knowledge of risk assessment to an area that is traditionally the responsibility of others in the organization. You may have procedures or policies in place to protect your personal data, but you can no longer afford to ignore the possibility of a cyber breach. You need to calculate what the potential impact to your organization would be should one occur.

Two converging trends are escalating the urgency. First, next-generation electronic security devices continue to migrate to the IP backbone, following in the footsteps of the consumer electronics industry and the Internet of Things (IoT). Second is the growing prevalence of “bring your own device” (BYOD) policies at many organizations, which increase areas of exposure to cyber threats.

So the question you should be asking yourself is whether the devices that you are responsible for are actually secure. If not, the consequences could be devastating. Remember the Target breach that ended up costing the company more than $252 million and doing immeasurable damage to its reputation? That attack was initiated through the company’s HVAC system.

Imagine getting the phone call telling you that one of your systems has been identified as the jumping-off point for hackers who stole your company’s intellectual property or your customers’ credit card numbers and personal data. This is no longer just an IT problem, nor should you want it to be because it might affect your ability to choose the best solutions for you to protect people and assets.

How Best to Approach Cybersecurity

For starters, cybersecurity is more than a product. It involves people, processes, and technology across the entire vendor supply chain, as well as the end-user organization. Threats must be managed on a systems level, as it is rarely just one product that is breached; typically, several across an organization’s infrastructure fall victim.

Systems can only be made more secure by adding layers of measures and policies that minimize exposure opportunities and thereby reduce risk. In other words, cybersecurity equals risk management.

For example, a camera or other edge device might be the entry point rather than the ultimate goal of a hacker. Outdoor cameras, in particular, present an interesting challenge as they provide a wired connection to an internal network that could easily be exploited if proper security measures are not in place. These measures range in sophistication from basic tamper-resistant enclosures to advanced port-level authentication at the switch. There are multiple options between these two extremes, which gets to the heart of the matter. When it comes to cybersecurity, there are no totally secure systems.

Systems can only be made more secure by adding layers of measures and policies that minimize exposure opportunities and thereby reduce risk. In other words, cybersecurity equals risk management.

Start with Cyber Risk Analysis

A cyber risk analysis will determine the probability of loss to an organization so that an educated decision on mitigation factors can be made. To understand the full implication of cyber risk, three questions should first be considered:

• Who are the potential attackers?
• What are their targets?
• What will be the costs associated with a successful breach?

It is important to recognize that costs often extend far beyond the immediate financial impact. There is also the long-term cost of regaining public trust once an organization’s reputation has been compromised.

One can also benefit from referencing several well-established models for analyzing security needs, such as the “NIST Cybersecurity Framework” and “ISO/IEC 27001 – Information Security.” Both are great frameworks for establishing a proper cybersecurity posture for organizations of all sizes.

Based on the results of the risk assessment, security professionals can opt for any of several approaches:

• Assume the risk, making the organization liable for any loss
• Mitigate the risk by taking action to reduce loss
• Transfer the risk by paying for cybersecurity liability insurance
• Avoid the risk entirely by not implementing the system

In most cases, the last option is not a viable alternative unless a different solution can be found that decreases the risk to acceptable levels.

Identify the Most Vulnerable Areas

Cyber vulnerabilities fall into three key areas:

• Careless users – those who do not follow policy and procedures or simply make a mistake
• Exploitable systems – components that have exploitable vulnerabilities or lack proper processes and policies
• Flawed implementation – solution designs and deployments that open the door for exploitation.

Roughly 90 percent of successful breaches result from human error, poor configuration and poor maintenance. Attackers will always take the path of least resistance, which starts with the users of the system and graduates in complexity to implementation flaws.

The most common user vulnerabilities include:

• Social engineering. A tactic that attempts to trick someone into providing information that can be used to gain access to network resources. This is the most common method of attack.
• Bad passwords. A constant threat as users balance their ability to remember a password against the ease with which it can be guessed or cracked using a brute force attack. In some cases, the devices on a network might not support strong passwords, which combine numbers, uppercase and lowercase letters, and special characters.
• Phishing. Attempts to gain sensitive information through electronic means by masquerading as a trusted source. In many cases, this is done through e-mail solicitations.
• Application installations. Downloaded programs from untrusted sources that inject malicious code into a device.
• Lost devices. Unencrypted personal devices that are lost, stolen or surreptitiously cloned will always be a concern in the world of BYOD.

Hold Vendor Channels Accountable

Manufacturers and systems integrators need to be held accountable for introducing cyber vulnerabilities as well. It is not possible to create a 100 percent secure system – at least not a usable one. The best that can be done is to make the system more secure by reducing exposure areas and mitigating as many risks as possible.

Manufacturers cannot give any guarantees that their products, applications or services contain no vulnerabilities that may be exploited for malicious attacks.

However, they have an obligation to develop products and services that contain a minimum amount of exploitable flaws.

Did you catch that caveat? “A minimum amount of exploitable flaws.” Does that mean that manufacturers knowingly produce products with exploitable flaws? Yes, they do. And, in many cases, they call them features and benefits.

Look at network cameras, for example. They are purposefully designed to enable customers to load analytics and embed them on the camera. It is a great way for trusted developers to create solutions that provide real value to the security practitioner – applications such as people counting, object left behind, cross line detection and video motion detection. All of these are commonly deployed analytics that resides on the camera. That same processing capacity, though, could be used by a malicious application that is loaded onto the camera from an untrusted source.

So, short of operating as an isolated silo, where does that leave you? Take heart, because manufacturers generally possess a solid knowledge base regarding cybersecurity that you can draw on for strategies to reduce risk.
It all begins with understanding what steps the manufacturer is taking to protect the products and systems in its portfolio. Five key areas, in particular, should be noted:

• Platform and Firmware. The firmware used in most network camera products is based on Linux. The open source community is constantly monitoring and updating both kernel and services when vulnerabilities and flaws are identified. Firmware should be developed with the latest applicable open source packages with a strong emphasis on “security as a priority,” which ensures that the firmware and interfaces are robust and resilient. Before final release, the manufacturer should have reviewed, audited and tested the firmware using penetration/vulnerability scanning tools.
• Systems Integration Interfaces. Network cameras constitute one or more nodes on the network. This means they have to be compatible with the network infrastructure to which they are attached. Therefore, standardized network protocols should be used. Some examples of security-related interfaces are HTTP digest authentication, HTTPS, 802.iX, SNMP, SFTP, SSH and remote syslog.
• Product Configuration and Management. Surveillance cameras provide a number of services that can be configured for a wide range of systems. Some examples related to cybersecurity are least privilege accounts, ability to enable/disable services, IP filtering, system and access logs, and detectors such as tampering, reboot, and malfunctions.
• Content Protection. Cameras generate a video that may need to be protected for privacy and compliance with regulations. Examples are HTTPS (depending on the client capabilities), privacy masking and edge-storage encryption.
• Support. The manufacturer should have a history of quickly providing firmware updates when vulnerabilities are discovered, even for discontinued products if the vulnerability is considered to be a high risk. They should also publish CVE (common vulnerabilities and exposures) reports when vulnerabilities are discovered. These reports include a threat level analysis, short-term recommendations, and plans to mitigate risks.

Systems integrators and end users should evaluate a manufacturer based on these defined responsibilities as part of their risk analysis. This upfront due diligence could save a security professional’s job down the line should a breach occur.

Two Kinds of Attacks: Opportunistic and Targeted

Most cyber breaches are “opportunistic” in nature. Hackers will try to exploit vulnerabilities to attack random organizations. If a selected attack vector fails, the attacker will move on to the next victim. This is a lot like hardening in the physical security world. All you need is to be harder to rob than your neighbor or to be able to run faster than your friend when a bear is chasing you. Opportunistic attackers prey on poorly configured systems.

A more sinister and potentially costly type of breach is referred to as a “targeted attack.” In this case, motivated individuals, hacker groups, nation-states or even terrorists target specific organizations. These attacks typically involve intelligent planning and target specific users or system vulnerabilities to achieve a specified objective. The well-known breaches at Target, Sony and the U.S. Office of Personnel Management are examples of targeted attacks.

Understanding the type of threats a risk analysis exposes will help to determine what preparations and cyber security posture a given organization should take. Here are a few tips:

Once the risk analysis is done, an organization needs to raise user-base awareness of the threats and mitigating factors of potential cyber attacks. It should define a policy, set up procedures and then educate. At a minimum, it must make sure that employees choose strong passwords that include a mix of uppercase and lowercase characters, numbers, and symbols. A good password management policy will stop most opportunistic attacks. The company needs to embrace a security culture across all levels. If employees report suspicious behavior such as “tailgating,” shouldn’t they do the same for possible phishing e-mails they receive?

Administrators of physical security systems need to take a proactive approach to cyber security on a much more granular level. Although every system’s threat posture is unique, some foundational practices should be adhered to. The SANS Institute was formed in 1989 and is a leader in educating security professionals on information security. They have produced the “SANS Top 20 Critical Security Controls” for networked devices. This list includes:

• Inventory of devices and software used on the network
• Continuous vulnerability assessment and remediation
• Maintenance, monitoring, and analysis of audit logs (per device)
• Limitation and control of network ports, protocols, and services

Very few end users keep their products up-to-date with the latest firmware. In some cases, this is because of software incompatibilities between their systems. And rarely do they disable protocols and services like UPnP or Bonjour even though they are not being used.

Regular retrieval of system reports or audit logs seems to be a priority when there is an incident, but not prior to the event when they could have provided very useful information. To top it off, many companies do not maintain an accurate inventory of what products they have on their network. Sometimes, they find out only after an adverse event or device failure has happened.

A structured, proactive approach as defined by the SANS Institute can make a difference by focusing efforts on those activities that have the best return on investment based on the most common attack patterns.

Cybersecurity Must Be a Team Effort

All network devices are subject to threats, including network cameras. A network camera is always part of a larger system where the network is the backbone. All parts are vulnerable, either as a system or as individual devices, and the entire ecosystem needs protection.

Threats must be managed on a system-wide level, and the responsibility for securing the network, its devices and the services it supports falls across the entire vendor supply chain as well as on the end user organization. It falls on people, processes, and technology. And it falls, especially, on the company’s security professionals.

---

James Marcella (james.marcella@axis.com) is the director of technical services for Axis Communications (www.axis.com).