There may be no better symbol of the nation’s modern, high-tech military—not to mention US military might—as its fleet of predator drones. So it surely caused a few red faces at the Pentagon when it was discovered that insurgents in both Afghanistan and Iraq had used $26 software to intercept live video feeds from the unmanned planes.
Oops.
Or consider a story relayed by the Alliance for Enterprise Security Risk Management about an interruption to an organization’s computer network. Initially thought to be a server crash, it turned out to be the result of RAM being physically stolen from servers in the data center by thieves who couldn’t be identified because building surveillance cameras were malfunctioning. The organization in question? A police department.
Again, oops.
All industries have had similar oops moments. Security experienced one in October 2016 when network-connected surveillance cameras and DVRs were implicated as a primary distributor of the Mirai botnet, which enabled DDoS attacks on eighteen data centers around the world and disrupted activities at some of the Internet’s biggest names, including Amazon, Spotify, and Twitter.
LP and Data Security Best Practices
The cyber vulnerability of security devices is a hot topic at security conference roundtables and in industry webinars these days. It’s not hard to see why. There is growing pressure on loss prevention to enhance store operations and boost sales. We’re in an environment of high—and growing—expectations. So a security device that doesn’t clear an even lower bar—by failing to provide payback as promised—is not likely to go over well with the senior team. And a security investment that doesn’t actually follow data security best practices or, worse, a security device that actually introduces security risk? Well, that seems like a career killer.
LP executives must ensure that connected security devices do not provide hackers a new way to enter the company network. “You can’t allow your security solution to become a threat vector,” warned Gavin Bortles, president of Kepler Networks, a network engineering services provider. David Tyburski, chief information security officer for Wynn Resorts, echoed that view. “We can’t be injecting risk—we are supposed to be about reducing risk,” he said.
As for why it does happen, why at any given time you can monitor nearly a million private security cameras online, or why a recent multimillion-dollar security install at a massive theme park had IP addresses written right on the security cameras, there is blame to go around.
It’s wrong to assume just because they are security systems that manufacturers have made them secure, according to a study by the Government Accountability Office (GAO) on vulnerabilities in federal facilities. It noted, “Cyber-security experts that we interviewed generally said that building and access-control systems are vulnerable to cyber attacks. One expert, for example, noted that control systems were not designed with cyber security in mind.” The US government has said connected devices pose “substantial safety and economic risks” and has called for immediate action to improve the security of Internet of Things (IoT) devices—but has proposed no specific penalties for manufacturers that fail to comply.
Bill Bozeman, president and CEO of PSA Network, an organization of 200-plus electronic security systems integrators, thinks manufacturers of security products need to do a better job of ensuring their safety. “They get a D in my book,” he said in a recent conference address.
The security marketplace is crowded with vendors hoping to take advantage of a hot market, and not all of them do proper due diligence with respect to the security and safety of their products, warn experts. Even product testing can’t always offer the same safety assurance it used to, a representative from Underwriters Laboratories told LP Magazine, because today’s software-driven products are dynamic and update functions and features on the fly.
Roger Johnston, PhD, founder and CEO of Right Brain Sekurity, a firm that conducts vulnerability assessments, believes that vulnerabilities—in the very security devices that are designed to offer a company protection—are more common than security and LP practitioners think. According to Johnston, engineers and manufacturers focus on simplifying user operation and the service of devices. These very conveniences, however, often make it simple to tamper with them.
Vendors aren’t the only ones criticized of cutting corners. Integrators have also been in the hot seat for, among other things, calling a system install complete with default passwords still in place. Joe McDonald, chief security officer for Switch, an information technology and services firm, said “integrators have to do a better job” to ask clients about their password protocol and to not leave a project until it’s secure. The risk from connected devices is simply too great, he warned. “A camera is a network port hanging on your perimeter.”
Ultimately though, the problem—and the solution—is in the hands of end users, said Johnston. “If customers don’t demand good security, why would a manufacturer provide it? It simply puts them at a competitive disadvantage. The problem is that customers have been absolutely happy to simply believe salespeople when they say that their devices are completely secure.”
That attitude can get organizations into trouble, according Chris Nickerson, founder of information security (infosec) firm Lares Consulting and an expert in red teaming and adversarial modeling. “Most companies probably put too much faith in vendors and security products,” he noted in an ISC West conference address.
No security device is 100 percent secure, according to Johnston. “The manufacturer might look briefly at security and send engineers for a quick look, but the vast majority of security devices in use, including in loss prevention, have not undergone a true vulnerability assessment in an effort to understand how they can be attacked,” he told LP Magazine. “So LP continues to field devices without understanding their level of security or, in many cases, without understanding them well enough to use them to their optimal effectiveness.”
Johnston recommends that LP executives cut through the crowded vendor field by asking them to explain how their products can be defeated. “The first thing to do is to ask your vendor, ‘How do you defeat this thing?’ And if they say you can’t, then they either don’t understand security or aren’t being up front. They should be able to tell you, these are the possible attack security scenarios, and these are the ones you should expect most,” said Johnston. “Only when manufacturers are pressured by customers to answer questions about how their products can be defeated will they start to feel pressure to pay attention to their security,” he added.
The optics of LP deploying insecure security devices is plainly terrible—but perhaps understandable. LP and asset protection departments implement systems and devices to address immediate problems and risks, so addressing the vulnerability or risks in those very solutions can seem like a secondary exercise. But as LP relies more on technology, and security devices are increasingly connected to the network, LP needs to be extremely confident in the efficacy and security of those systems.
When technology serves at LP’s core—with procedures and staffing built around it—a flaw in the technology or system design creates a vulnerability that can persist undetected. It takes an average of six months before a network intrusion is detected, noted Christian Morin, vice president of cloud services and chief security officer at Genetec. “That’s six months of free roaming for a hacker, which could be because a surveillance camera never had its firmware updated,” he said.
In this specific way, it’s riskier to rely on security technology than people, the oft-perceived weak link. While it’s true that security personnel can create vulnerability when they lose focus or make a mistake, the risk is transitory. A system or device flaw creates a constant opening, one that attackers may be able to exploit repeatedly.
Dangerous Connections
For years, the most retailers worried about with respect to a surveillance camera was whether it was positioned to mistakenly capture customer cardholder information. Now, networked security cameras present the greatest risk to enterprises from the array of IoT devices, according to a November 2016 report by researchers at Zscaler, a cloud-based information security company.
“Now that [cameras] are a network device that can be the subject of attack, you need to take the possibility into consideration,” said John Bartolac, cyber-security expert and senior manager for cyber strategy at Axis Communications. “Imagine what a day without online sales could do to a retailer. It is devastating.”
Connected devices can provide substantial benefits to retailers and loss prevention practitioners. Effective use of these devices can cut expenses, improve operational efficiency, reduce loss, and drive business. Connectivity allows for building automation and centralized control and can simplify cumbersome tasks such as installing software patches and updates. And it’s flexible—allowing a system to grow and scale—and a web-based control platform allows users to manage from any web browser, anywhere with Internet access.
With connection, however, comes risk. For example, Zscaler researchers found one security camera brand communicated with its parent company in plain text and without authentication tokens, giving attackers the opportunity to introduce their own firmware; another camera transmitted user credentials for its streaming capability in plain text; and another had an unprotected remote-management console. An infected video camera could allow intruders to monitor an environment and plan physical attacks as well as cyber attacks, explained Deepen Desai, director of security research at Zscaler.
In an FBI bulletin to private companies, the agency warned that exploitation of connected devices to conduct attacks “will very likely continue,” and some cyber security experts warn that ransomware tactics may soon extend to IoT, locking critical devices until an organization pays a ransom. In the 2017 Black Hat Conference Attendee Survey, digital attacks on non-computer systems ranked tenth on attendees’ current list of worries; however, it was identified as the risk that they think will be their number one concern in two years’ time.
“The reality is that each and every one of those security cameras, network video recorders, and IP-enabled controllers are small computers—and as you add more computers and widgets to the mix, you greatly expand the surface of attack,” explained Morin.
If not deployed and maintained properly, networked-enabled operational technology, such as point-of-sale (POS) terminals, fire-suppression systems, video surveillance cameras, building control, and access-control systems, can provide hackers an avenue into an organization’s network. “Connected devices offer great benefits, but you need to be sure these things are protected,” said Bartolac.
One issue is that manufacturers with a background in the physical security industry have traditionally built them, which means they focus on features important to building managers and may not give systems a thorough code review. Consequently, applications may not have been hardened against known software vulnerabilities to reduce or eliminate the risk of network attack.
It seems illogical, but there has traditionally been very little focus on the security aspects of networking physical security systems. In a study of the typical components, communication protocols, and deployments for the most common physical security systems being put on the network, researchers concluded that “physical security systems are inherently vulnerable to traditional network-based attacks.”
The risk is something that retailers have started to recognize. “I’m seeing retailers making themselves more aware of the risks, probably because of the marriage of LP with IT,” said Bartolac. “They’re starting to look into what kinds of things can create risk and what kinds of solutions are appropriate, especially as systems are getting more complex.”
Still, only 30 percent of organizations say that managing third-party IoT risks is a priority for them, according to a 2017 survey by the Ponemon Institute, The Internet of Things: A New Era of Third-Party Risk. And the most basic of mistakes continues to provide hackers with a reliable way into company networks. “It blows my mind that some companies will keep out-of-box passwords for every device and never change them,” said Bartolac.
In a study presented at the 2016 International Workshop on Trustworthy Embedded Devices, researchers noted that 39.7 percent of cameras and surveillance systems analyzed on the Internet in 2010 were running with default credentials. “This basically means they are completely exposed to any kind of attack such as video-feed eavesdropping, malicious firmware updates, and DNS hijacking,” concluded the study Security of CCTV and Video Surveillance Systems: Threats, Vulnerabilities, Attacks, and Mitigations. The researchers said the 2010 figure still accurately suggests “the scale at which video surveillance systems are exposed and vulnerable to cyber security threats.”
To address this basic but persistent vulnerability, LP needs to ensure use of complex passwords that are rotated on a regular basis, including during times of attrition whether it’s from resignations or layoffs, according to Christian Romero, a former LP executive at Neiman Marcus and now data privacy and protection associate at the Technocracy Group.
Another problem is perhaps more basic than poor password management. It comes down to the need to follow data security best practices. “I think, unfortunately, it’s common that LP or security will add these devices without duly informing the information security people,” Morin told LP Magazine. “So these devices exist on the network, but the people in charge of protecting the network infrastructure are unaware of them.”
To address that gap, some retailers are changing both the “how” and “who” of device management. Terry Sullivan, LPC, president of the Loss Prevention Foundation, was part of such an evolution during his stint at Lowe’s, from when LP would vet its own purchases and occasionally butt heads with IT to having every piece of LP technology—right down to a new printer in the LP office—being vetted by the IT group and tested in its lab.
“It was a big change in the last five years. It used to be if we liked it, we’d test it, and we bought it,” explained Sullivan, who encouraged the change after becoming director of LP operations at Lowe’s. “I told our people to put down their swords and their shields, and that it makes sense, so let’s do it.” Although it may require ceding authority and responsibility to IT, collaboration with IT is vital to implement new LP technology safely, Sullivan suggested.
Ongoing management of LP technology is also an area fraught with risk, Romero told LP Magazine. Although LP is typically the owner of security devices, the focus of LP practitioners is often elsewhere. “From a management standpoint, LP looks primarily at the function of the device and how a camera or system is working,” he said. “Rather than taking a more holistic view of what management of that device should look like.”
For more on reducing risk via cyber solutions, check out the full article (“Security’s Security”), which was originally published in 2017. This excerpt was updated August 6, 2018.