Cyber Crime: The cyber security implications of physical security products
The notion that there are physical security products and, separately, digital security products belongs in a museum. These days, all electronic physical security products are cyber ones too. And while that generates enormous advantages, it also has limits; for starters it creates security weaknesses. Research around the Internet of Things (IoT) has illustrated the benefits and drawbacks while highlighting that there are big knowledge gaps that offenders are exploiting. But how common are these gaps? How serious are they? Where can we look for remedies?
In this webinar, we discussed:
- Common vulnerabilities in networked security products and how to remediate them
- The key developments in protecting physical security products from digital weaknesses
- The future including the role for manufacturers and governments
Chair: Tom Reeve
Hollie Hennessy – Senior Analyst, IoT Cybersecurity at Omdia
Iain Cundy – Technology consultant, Section 20 Solutions
Leon Molchanovsky – Technology consultant, Galaxy Innovations
Hollie works in the cyber security intelligence group at Omdia which is the research arm of Informtech, and talks to hundreds of CISOs about all areas of IoT including the security of physical devices, trends, technologies, issues, challenges and drivers. One of the most commonly used technologies in organisations worldwide is video surveillance, but unfortunately they are not generally secure as many organisations don’t use enterprise grade technology. As a consequence there is a continual stream of new vulnerabilities appearing (just Google ‘video surveillance CVEs’). She said there is a common misconception that connected devices are secure, with 24% of CISOs believing there is no need to take additional precautions. She said there is little government regulation in this area, and she said there is much work to be done to ensure that consumers, both large and small, can purchase and install devices with some basic guarantees based on security by design.
Iain said many of these problems can be traced back to the transition from analogue to digital. Many manufacturers didn’t build cybersecurity into their products because they didn’t have the capability to do it. Iain pointed out that many organisations have access control systems which can be easily bypassed with devices you can purchase from the internet for as little as £7.00. These devices can clone access control credentials from a variety of card types, and then copy them to blank cards. This can be a particularly serious problem for an organisation if attackers were to clone the cards of staff with access to sensitive systems such as accounts or IT. It is vulnerabilities from devices such as these that have changed the game for physical and IoT security. He concedes that currently 94% of attacks come via email, but as email security becomes better, attackers will inevitably begin to look at other options.
Leon started by comparing device security from 20 years ago to today and concluded that very little had changed. Twenty years ago, he worked for a vendor and was asked by a client why the company didn’t authenticate its IoT devices and the reply was, no one asked us to. Now, we face a similar problem because customers are not demanding the answers to basic questions about IoT security. The wide diversity of vendors, platforms and technologies means that it is difficult to get them to work together, but it is even more difficult to get them to work together securely. There are currently dozens of attempts worldwide to specify standards for IoT security, but each scheme is approaching the problem differently. This doesn’t help the end user because they don’t know which standard to use or how to implement it internally. He has a list of basic questions that physical security managers should ask about the security devices they use, the answers to which may reveal new and surprising risks.