There may be no better symbol of the nation’s modern, high-tech military—not to mention US military might—as its fleet of predator drones. So it surely caused a few red faces at the Pentagon when it was discovered that insurgents in both Afghanistan and Iraq had used $26 software to intercept live video feeds from the unmanned planes.
Oops.
Or consider a story relayed by the Alliance for Enterprise Security Risk Management about an interruption to an organization’s computer network. Initially thought to be a server crash, it turned out to be the result of RAM being physically stolen from servers in the data center by thieves who couldn’t be identified because building surveillance cameras were malfunctioning. The organization in question? A police department.
Again, oops.
All industries have had similar oops moments. Security experienced one in October 2016 when network-connected surveillance cameras and DVRs were implicated as a primary distributor of the Mirai botnet, which enabled DDoS attacks on eighteen data centers around the world and disrupted activities at some of the Internet’s biggest names, including Amazon, Spotify, and Twitter.
Securing Loss Prevention Technology
The cyber vulnerability of security devices is a hot topic at security conference roundtables and in industry webinars these days. It’s not hard to see why. There is growing pressure on loss prevention to enhance store operations and boost sales. We’re in an environment of high—and growing—expectations. So a security device that doesn’t clear an even lower bar—by failing to provide payback as promised—is not likely to go over well with the senior team. And a security investment that doesn’t actually deliver security or, worse, a security device that actually introduces security risk? Well, that seems like a career killer.
LP executives must ensure that connected security devices do not provide hackers a new way to enter the company network. “You can’t allow your security solution to become a threat vector,” warned Gavin Bortles, president of Kepler Networks, a network engineering services provider. David Tyburski, chief information security officer for Wynn Resorts, echoed that view. “We can’t be injecting risk—we are supposed to be about reducing risk,” he said.
As for why it does happen, why at any given time you can monitor nearly a million private security cameras online, or why a recent multimillion-dollar security install at a massive theme park had IP addresses written right on the security cameras, there is blame to go around.
It’s wrong to assume just because they are security systems that manufacturers have made them secure, according to a study by the Government Accountability Office (GAO) on vulnerabilities in federal facilities. It noted, “Cyber-security experts that we interviewed generally said that building and access-control systems are vulnerable to cyber attacks. One expert, for example, noted that control systems were not designed with cyber security in mind.” The US government has said connected devices pose “substantial safety and economic risks” and has called for immediate action to improve the security of Internet of Things (IoT) devices—but has proposed no specific penalties for manufacturers that fail to comply.
Bill Bozeman, president and CEO of PSA Network, an organization of 200-plus electronic security systems integrators, thinks manufacturers of security products need to do a better job of ensuring their safety. “They get a D in my book,” he said in a recent conference address.
The security marketplace is crowded with vendors hoping to take advantage of a hot market, and not all of them do proper due diligence with respect to the security and safety of their products, warn experts. Even product testing can’t always offer the same safety assurance it used to, a representative from Underwriters Laboratories told LP Magazine, because today’s software-driven products are dynamic and update functions and features on the fly.
Roger Johnston, PhD, founder and CEO of Right Brain Sekurity, a firm that conducts vulnerability assessments, believes that vulnerabilities—in the very security devices that are designed to offer a company protection—are more common than security and LP practitioners think. According to Johnston, engineers and manufacturers focus on simplifying user operation and the service of devices. These very conveniences, however, often make it simple to tamper with them.
Vendors aren’t the only ones criticized of cutting corners. Integrators have also been in the hot seat for, among other things, calling a system install complete with default passwords still in place. Joe McDonald, chief security officer for Switch, an information technology and services firm, said “integrators have to do a better job” to ask clients about their password protocol and to not leave a project until it’s secure. The risk from connected devices is simply too great, he warned. “A camera is a network port hanging on your perimeter.”
Ultimately though, the problem—and the solution—is in the hands of end users, said Johnston. “If customers don’t demand good security, why would a manufacturer provide it? It simply puts them at a competitive disadvantage. The problem is that customers have been absolutely happy to simply believe salespeople when they say that their devices are completely secure.”
That attitude can get organizations into trouble, according Chris Nickerson, founder of information security (infosec) firm Lares Consulting and an expert in red teaming and adversarial modeling. “Most companies probably put too much faith in vendors and security products,” he noted in an ISC West conference address.
No security device is 100 percent secure, according to Johnston. “The manufacturer might look briefly at security and send engineers for a quick look, but the vast majority of security devices in use, including in loss prevention, have not undergone a true vulnerability assessment in an effort to understand how they can be attacked,” he told LP Magazine. “So LP continues to field devices without understanding their level of security or, in many cases, without understanding them well enough to use them to their optimal effectiveness.”
Johnston recommends that LP executives cut through the crowded vendor field by asking them to explain how their products can be defeated. “The first thing to do is to ask your vendor, ‘How do you defeat this thing?’ And if they say you can’t, then they either don’t understand security or aren’t being up front. They should be able to tell you, these are the possible attack security scenarios, and these are the ones you should expect most,” said Johnston. “Only when manufacturers are pressured by customers to answer questions about how their products can be defeated will they start to feel pressure to pay attention to their security,” he added.
The optics of LP deploying insecure security devices is plainly terrible—but perhaps understandable. LP and asset protection departments implement systems and devices to address immediate problems and risks, so addressing the vulnerability or risks in those very solutions can seem like a secondary exercise. But as LP relies more on technology, and security devices are increasingly connected to the network, LP needs to be extremely confident in the efficacy and security of those systems.
When technology serves at LP’s core—with procedures and staffing built around it—a flaw in the technology or system design creates a vulnerability that can persist undetected. It takes an average of six months before a network intrusion is detected, noted Christian Morin, vice president of cloud services and chief security officer at Genetec. “That’s six months of free roaming for a hacker, which could be because a surveillance camera never had its firmware updated,” he said.
In this specific way, it’s riskier to rely on security technology than people, the oft-perceived weak link. While it’s true that security personnel can create vulnerability when they lose focus or make a mistake, the risk is transitory. A system or device flaw creates a constant opening, one that attackers may be able to exploit repeatedly.
Dangerous Connections
For years, the most retailers worried about with respect to a surveillance camera was whether it was positioned to mistakenly capture customer cardholder information. Now, networked security cameras present the greatest risk to enterprises from the array of IoT devices, according to a November 2016 report by researchers at Zscaler, a cloud-based information security company.
“Now that [cameras] are a network device that can be the subject of attack, you need to take the possibility into consideration,” said John Bartolac, cyber-security expert and senior manager for cyber strategy at Axis Communications. “Imagine what a day without online sales could do to a retailer. It is devastating.”
Connected devices can provide substantial benefits to retailers and loss prevention practitioners. Effective use of these devices can cut expenses, improve operational efficiency, reduce loss, and drive business. Connectivity allows for building automation and centralized control and can simplify cumbersome tasks such as installing software patches and updates. And it’s flexible—allowing a system to grow and scale—and a web-based control platform allows users to manage from any web browser, anywhere with Internet access.
With connection, however, comes risk. For example, Zscaler researchers found one security camera brand communicated with its parent company in plain text and without authentication tokens, giving attackers the opportunity to introduce their own firmware; another camera transmitted user credentials for its streaming capability in plain text; and another had an unprotected remote-management console. An infected video camera could allow intruders to monitor an environment and plan physical attacks as well as cyber attacks, explained Deepen Desai, director of security research at Zscaler.
In a recent FBI bulletin to private companies, the agency warned that exploitation of connected devices to conduct attacks “will very likely continue,” and some cyber-security experts warn that ransomware tactics may soon extend to IoT, locking critical devices until an organization pays a ransom. In the 2017 Black Hat Conference Attendee Survey, digital attacks on noncomputer systems ranked tenth on attendees’ current list of worries; however, it was identified as the risk that they think will be their number one concern in two years’ time.
“The reality is that each and every one of those security cameras, network video recorders, and IP-enabled controllers are small computers—and as you add more computers and widgets to the mix, you greatly expand the surface of attack,” explained Morin.
If not deployed and maintained properly, networked-enabled operational technology, such as point-of-sale (POS) terminals, fire-suppression systems, video surveillance cameras, building control, and access-control systems, can provide hackers an avenue into an organization’s network. “Connected devices offer great benefits, but you need to be sure these things are protected,” said Bartolac.
One issue is that manufacturers with a background in the physical security industry have traditionally built them, which means they focus on features important to building managers and may not give systems a thorough code review. Consequently, applications may not have been hardened against known software vulnerabilities to reduce or eliminate the risk of network attack.
It seems illogical, but there has traditionally been very little focus on the security aspects of networking physical security systems. In a study of the typical components, communication protocols, and deployments for the most common physical security systems being put on the network, researchers concluded that “physical security systems are inherently vulnerable to traditional network-based attacks.”
The risk is something that retailers have started to recognize. “I’m seeing retailers making themselves more aware of the risks, probably because of the marriage of LP with IT,” said Bartolac. “They’re starting to look into what kinds of things can create risk and what kinds of solutions are appropriate, especially as systems are getting more complex.”
Still, only 30 percent of organizations say that managing third-party IoT risks is a priority for them, according to a 2017 survey by the Ponemon Institute, The Internet of Things: A New Era of Third-Party Risk. And the most basic of mistakes continues to provide hackers with a reliable way into company networks. “It blows my mind that some companies will keep out-of-box passwords for every device and never change them,” said Bartolac.
In a study presented at the 2016 International Workshop on Trustworthy Embedded Devices, researchers noted that 39.7 percent of cameras and surveillance systems analyzed on the Internet in 2010 were running with default credentials. “This basically means they are completely exposed to any kind of attack such as video-feed eavesdropping, malicious firmware updates, and DNS hijacking,” concluded the study Security of CCTV and Video Surveillance Systems: Threats, Vulnerabilities, Attacks, and Mitigations. The researchers said the 2010 figure still accurately suggests “the scale at which video surveillance systems are exposed and vulnerable to cyber-security threats.”
To address this basic but persistent vulnerability, LP needs to ensure use of complex passwords that are rotated on a regular basis, including during times of attrition whether it’s from resignations or layoffs, according to Christian Romero, a former LP executive at Neiman Marcus and now data privacy and protection associate at the Technocracy Group.
Another problem is perhaps more basic than poor password management. “I think, unfortunately, it’s common that LP or security will add these devices without duly informing the information security people,” Morin told LP Magazine. “So these devices exist on the network, but the people in charge of protecting the network infrastructure are unaware of them.”
To address that gap, some retailers are changing both the “how” and “who” of device management. Terry Sullivan, LPC, president of the Loss Prevention Foundation, was part of such an evolution during his stint at Lowe’s, from when LP would vet its own purchases and occasionally butt heads with IT to having every piece of LP technology—right down to a new printer in the LP office—being vetted by the IT group and tested in its lab.
“It was a big change in the last five years. It used to be if we liked it, we’d test it, and we bought it,” explained Sullivan, who encouraged the change after becoming director of LP operations at Lowe’s. “I told our people to put down their swords and their shields, and that it makes sense, so let’s do it.” Although it may require ceding authority and responsibility to IT, collaboration with IT is vital to implement new LP technology safely, Sullivan suggested.
Ongoing management of LP technology is also an area fraught with risk, Romero told LP Magazine. Although LP is typically the owner of security devices, the focus of LP practitioners is often elsewhere. “From a management standpoint, LP looks primarily at the function of the device and how a camera or system is working,” he said. “Rather than taking a more holistic view of what management of that device should look like.”
Cyber Solutions
Even basic security precautions may be ignored in the manufacture and installation of security devices. Although retailers can push vendors and integrators to give greater attention to the security of security devices, LP practitioners—since they live with the consequences—must own the responsibility.
LP executives that oversee network-connected security systems and devices need to assess the risk of those systems to cyber attack and must take steps to reduce the risk. “The crux of the issue is that not much energy or effort is put toward properly managing the life cycle of these devices,” explained Morin. “We’re happy with the video we’re getting, so we forget about them. There is this impression that a device will last five, seven, or ten years, and that is when we’ll touch it again,” he said.
Success starts, then, with a strategy.
When the GAO examined the cyber risk to security systems at the Department of Homeland Security (DHS), it found that select protection solutions had been deployed but that the broader effort was hampered—and vulnerabilities weren’t addressed—because DHS lacked a clearly defined strategy to maintain its focus. Worse, it found a lack of agreement on exactly who was responsible for addressing the integrity of the systems, which is a precursor to taking action, the report concluded.
A viable overall strategy to address cyber risk to security systems should entail defining the problem, identifying the roles and responsibilities for securing systems and devices, analyzing the resources needed, and identifying a methodology for assessing cyber risk to security devices. Such a programmatic approach is important as other LP issues can easily divert attention and cause retailers to lose focus from what may seem like the abstract risk of a cyber attack on an IP camera.
LP operations must be deliberate when selecting, testing, and adding new security devices to the network. Not all network security, devices are designed for security, and there is no guarantee, if a flaw is found, that a manufacturer will roll out a timely fix. Additionally, not all vendors do the same amount of testing. Consequently, choosing trusted manufacturers and integrators is critical.
“What are their security practices? Do you trust the company in general? Who is writing the software? You have to be careful of a backdoor into your network,” said Genetec’s Morin. “I don’t want to say you need the more expensive cameras, but you want to get something that, out of the box, offers you a more hardened device,” added Romero.
LP Magazine interviews with industry experts elicited additional advice, which will not only help LP address vulnerabilities but may also help to improve the operational efficiency of devices and systems:
- Adopt a suspicious attitude about the cyber security of devices, advised David Willson, CEO of Titan Info Security Group, a risk management and cyber-security consulting firm.
- Go beyond the sales pitch. Evaluate the security of a security device as closely you do other criteria, such as compatibility, features, and price.
- Be flexible when evaluating products. Studies have shown that more than half of security end users have their minds made up on the products they want when entering a project. But rigidity can result in overlooking vulnerabilities, warn experts.
- Work exclusively with vendors who offer a road map for security; provide specific hardening guides for its network security devices, such as IP cameras; proactively post common vulnerabilities and exposures on their websites; and regularly issue software and firmware updates. Unless you see a road map for security for a vendor’s product you should skip it, said Bozeman.
- Limit authorization and access to LP network devices and ensure that appliances maintain a log of all activity to facilitate forensic review.
- Look for technology partners that carry liability insurance. Insurance will require that an integrator or vendor undergoes an audit by the carrier to make sure they have continuity plans in place and the like. It provides at least a minimum amount of assurance that the company’s security has been examined, according to Morin.
- Establish best practices for low, medium, or high device protection, and then follow the appropriate measures depending on the risk level associated with a specific device, advised Bartolac.
- Solicit the help of IT to select trustworthy vendors and integration partners. Factors such as who built the hardware, where the software was developed, what security practices are in place to protect the source code—these are all security assessments that infosec departments are accustomed to doing, noted Morin. “LP should get their help to select a vendor and leverage their expertise,” he recommended.
- Disable unused services and only install trusted applications to reduce the chances that a would-be perpetrator could exploit a system vulnerability, advised Bartolac. Also, place cameras where they’re out of reach of a potential attacker’s tampering, he added.
- Segment security devices from other company data to the fullest extent possible. “Keeping CCTV wholly separate or segmented from payments absolutely would be a best practice to limit your exposure,” said Romero.
- Develop internal technology expertise so that your team can ask necessary questions and knows issues to look for, such as core protocols that lack security mechanisms, vendors that employ proper encryption methods and mechanisms, and devices lacking secure configuration. LP must possess a skill set that is commensurate with the level of responsibility they have for device IT security, cautioned Romero.
- Consult best practices. In addition to vendors’ hardening guides, security groups and associations have put forth technical guides and best practices to follow, such as basic safeguards suggested by the Security Industry Association Cyber Security Advisory Board’s Beginners Guide to Product and System Hardening.
Physical Frailties
While connection vulnerabilities provide armchair hackers an easy inroad, physically infiltrating a facility to facilitate data theft or destruction is still “crazy easy” for a skilled adversary, according to Nickerson. Access control, badge systems, and other intrusion prevention and detection systems rarely stop his team from getting where they want in a facility and doing what they would need to do to compromise its network.
Johnston holds a similar view of device vulnerability. As the former head of the vulnerability assessment team at Argonne National Laboratory, he has conducted vulnerability assessments on more than 1,000 physical security and nuclear safeguard devices, systems, and programs, and it’s his opinion that all security technologies and devices can be defeated—usually “fairly easily.”
In addition to not undergoing a rigorous vulnerability assessment by the manufacturer, there is a problem with chain of custody, which fails to get much attention, according to Johnston. “The typical security manufacturer isn’t likely to have good insider threat security,” so product tampering at the source is a risk. In November, for example, it was discovered that preinstalled software in some Android phones was sending data to China, including information on where users went, whom they talked to, and text message content.
“Then [the security device] will sit on loading docks, and then sit again, sometimes for months, somewhere at the end user, and only then is it installed,” said Johnston. “But no one knows what the interior is supposed to look like, and manufacturers don’t supply pictures, so it’s impossible to tell signs of tampering.” A skilled adversary can install a man-in-the-middle (MiM) attack or compromise a device in some other way with just a few minutes of access, he noted.
Additionally, security product design often facilitates tampering by using housing that is thicker than necessary in order to make servicing devices easier. “So there is all kinds of physical room inside it for someone to put in a device to capture data and conduct MiM attacks. And end users don’t usually go around and check for alien material inside their security devices, so you have successful attacks,” said Johnston.
When physical devices fail, it can often render other security investment moot. For example, organizations are putting a lot of faith in encryption and authentication technologies. But companies often remain vulnerable because encryption can’t correct underlying vulnerabilities. “Data encryption and authentication provides reliable security if and only if the sender and the receiver are physically secure, the insider threat has been mitigated, and there’s a secure cradle-to-grave chain of custody on the hardware and software; usually none of these is true,” Johnston explained.
True security requires a secure chain of custody right from the factory, effective tamper detection built into devices, and manufacturers conducting independent and imaginative vulnerability assessments. But all three are almost universally lacking for most security devices, Johnston warns.
Vulnerabilities of some kind extend to all popular security technologies—prox cards, biometrics, even emerging retail favorites like RFID, says Johnston. RFID attacks can be performed at each stage: during communication, at the tag level, and on the tag reader. “It’s easy to shield from an RFID device. You can block, jam, or counterfeit RFID signature. People are sometimes regarding RFID as a higher-security approach, but it’s just a bar code and maybe worse because it’s not hard to hard to spoof RFID from across the room or from the parking lot,” he said.
The vulnerability of RFID relates to what Johnston thinks is the most common mistake in retail—confusing inventory with security. “It’s thinking that, because they know where parts and pallets are and can keep track of things, that it can act as a security system,” said Johnston. “You can have both security and inventory with the same system, but you need to analyze it as an inventory system and then separately analyze it as a security system. Too often retailers will just look at it as an inventory system but also use it for security. Or else retailers buy it for inventory, and there is a case of mission creep, and they start to use it for security.”
Compounding the problem is that inventory folks often have the money to buy all the hardware, with security being an afterthought. “But you need to build the security piece in from scratch,” said Johnston. “You can’t Band-Aid security onto an inventory system.”
More broadly, he says that LP executives need to be careful not to assign security technology powers it doesn’t possess and must recognize that security devices themselves are often not secure, which makes them vulnerable to spoofing.
Accept Defeat—And Win
Although device security is a technology problem, both Johnston and Nickerson suggested the need to address it culturally. Their domains are different—Johnston’s is vulnerability assessments, and Nickerson’s is penetration exercises—but both strategies require a retailer to be OK with learning about their weaknesses. And that can be a struggle.
“Even if you can’t redesign a product, if you understand its vulnerabilities, you can at least enact some simple countermeasures, and you don’t have to spend a ton of money,” said Johnston, who recommends that organizations perform their own frequent, imaginative, independent vulnerability assessments to find security weaknesses.
He suggested picking individuals from outside the LP department who seem psychologically predisposed to finding problems and suggesting solutions. “Pick people from the mailroom or the graphic arts department, the smart, creative types who are always finding loopholes.” These are just the kind of people who in a vulnerability assessment (VA) can provide fresh insight into how creative adversaries might defeat your security systems, said Johnston.
“The problem at a lot of organizations is that they’re afraid to encourage employees to think about these kinds of things, and they’re also afraid of what they’ll find,” Johnston added. It doesn’t help that in physical security, unlike cyber security, making changes is sometimes viewed as admitting to past negligence. “Some organizations will even halt a VA once they find vulnerabilities because really what they wanted was to rubber stamp their program and to say they looked at it,” he said.
Johnston said retailers should strive to develop a culture where uncovering vulnerabilities is seen as positive—and to be willing to accept that a legitimate vulnerability assessment will always find attack possibilities. “And you don’t have to find every vulnerability for it to be worthwhile,” he added. “At least you can go after the low-hanging fruit, and say that this attack and this attack are the most likely, so you can make some valuable, practical changes.”
Nickerson sees a similar mindset holding organizations back from undertaking much-needed physical penetration testing; many don’t want to see the expensive technology they bought easily compromised. But it’s a shortsighted attitude that practitioners and their organization’s need to rid themselves of, Nickerson suggested. Don’t think of a red team’s success as security’s failure. Instead, see it as new information to help adjust and improve security. “The more we think from an adversarial perspective, the more we can know if we’re getting what we want out of our systems,” he advised in his conference presentation “Breaking Physical Access.”
Looking at your security devices from the perspective of attackers will always point out flaws, but knowing whether it’s worth addressing them requires a detailed risk assessment, something else Johnston thinks that LP practitioners could do better. “There aren’t good or bad security devices. It depends on what you need. However, ‘we don’t want stuff stolen’ is sometimes the extent of the risk assessment,” said Johnston. “But when you’re looking for the best car, it depends on what you want the car to do. Is it to win the Indianapolis 500? Is it to impress the neighbors?” So even though a security system will have its vulnerabilities, “it may be the right system given the adversaries you have, the budget you’ve got, and what you’re protecting,” said Johnston.
Johnston and Nickerson suggest that to successfully harden a security system or device against attack requires LP to first acknowledge that it’s a possibility and then be willing to gain a deeper, more honest, understanding of their technology. Learn how it can be attacked. Understand the intricacies of what systems can—and can’t—do. And appreciate which threats devices can and can’t protect against. “But it’s often way less thought out than that,” said Johnston. “It’s people in charge of security buying something because the salesperson says it’s good. I actually see the whole thing more as a security culture deficit rather than a device security issue.”