While many people focus on the logical security around their data, physical security gets a lot less attention. Locking down the electronic components of physical security is an area that’s forgotten once it’s installed. Tony Vizza, from IT security consultant Sententia, says there’s a huge gap between what we should be doing with our physical security and what we actually do.
Vulnerability management is something we focus on with systems but many businesses are missing the boat on physical systems.
“Hackers won’t go on the market saying they’ve hacked a door system,” said Vizza, who will be speaking at the upcoming Security Exhibition and Conference being held on 26-28 July 2017 in Sydney. “But they will exploit it for as long as they can”.
A good example of how this matters is the theft of physical devices. If someone can break through physical security then they can steal a server. Even if the data on that server is encrypted, once a thief has physical access to a device, they can take their time to break the encryption or work around it to access data.
Once we start thinking about hacking physical security, we move quickly into the realm of IoT. Vizza says hacking these devices is relatively easy.
“A lot of IoT devices have been, historically, set up on a completely different architecture. Unlike the seven-layer OSI model, the IoT is set up on a four-layer model and security was an afterthought at best. A lot of the original PLCs and other devices have security bolted on, if it’s done at all”.
Vizza says many SCADA and internet satellite systems are completely unsecured. He said you can walk up to some satellite receiving dishes and, because they are authenticated onto a network with full access, you can use them to access any device on a network. And, as many are set up in remote areas, they are often missed or forgotten during vulnerability assessments.
“Often, these systems were put in place when there was no internet connectivity so nobody ever thought to lock them down or that they could be accessed by someone on the other side of the world”.
While many IoT and SCADA system makers are catching up, there are many legacy devices already in place and the number of older devices that are accessible remains a vulnerability that can be exploited.
The configuration challenge
Although patching remains a challenge for businesses, it’s a well understood process and that means it’s possible to create standardised systems for patch management. But configuring a systems securely so that it balances the business’ needs for ease of use and safety can be more nuanced.
“I liken patching to visiting the dentist every six months. We all know we should do it but not many of us do. People know patching is important but very people are doing it properly. WannaCry was a wake-up call but we saw with Petya that organisations still didn’t take it [patching] seriously”.
Vizza said one of the problems with configuration starts at the top of the business. Many of the senior managers and board members he speaks to admit to asking IT to change things to aid their ease of use. So, even if IT have everything set up correctly and securely configured, it can be compromised.
“Security often takes second place. And if it’s in second place you can introduce vulnerabilities into your systems,” said Vizza.
Management needs to re-prioritse things so security is the first priority and that ease of use may need to be considered in light of what it means for security.
“It comes down to leadership deciding what the priority is for the business. Increasingly, businesses are getting it but we’re still immature – we’re at ‘toddler’ stage”.
Three things to consider
Vizza says many businesses are throwing a lot of money at the problem and don’t realise that humans can cause the biggest problems. Often, that’s because a security vendor sells a new solution but there hasn’t;t bee sufficient education.
Then, if someone accidentally causes a leak, they are vilified even though they were not educated as to the risks or what behaviours would have been more conducive to better information security.
Often, discussions around information security become bogged down in technical issues. Vizza’s second point was that communications with management and boards needs to be switched from a technical discussion into one about risks and business outcomes.
“Physical security has done a good job of showing its value. IT can learn from this”.
That means linking activities to specific outcomes. For example, placing a bollard at the front of a building can prevent a smash-and-grab raid. Information security professionals need to link the equipment and software they install to business outcomes that are understandable to decision and policy makers.
Finally, it’s important to understand and communicate that the world is constantly changing. Security, particularly physical security, is not a set-and-forget activity. Physical systems need to reviewed and updated regularly.
“There needs to be adequate resourcing in place to ensure that there’s someone there checking. Just as you have someone checking physical locks, the same has to happen with logical security to cope with new applications”.