LP Magazine

SEP-OCT 2017

LP magazine publishes articles for loss prevention, asset protection, and retail professionals covering shrinkage, investigations, shoplifting, internal theft, fraud, technology, best practices, and career development.

Issue link: http://digital.lpportal.com/i/874445

Contents of this Issue

Navigation

Page 17 of 79

SECURITY'S SECURITY improve operational efficiency, reduce loss, and drive business. Connectivity allows for building automation and centralized control and can simplify cumbersome tasks such as installing software patches and updates. And it's flexible—allowing a system to grow and scale—and a web-based control platform allows users to manage from any web browser, anywhere with Internet access. With connection, however, comes risk. For example, Zscaler researchers found one security camera brand communicated with its parent company in plain text and without authentication tokens, giving attackers the opportunity to introduce their own firmware; another camera transmitted user credentials for its streaming capability in plain text; and another had an unprotected remote-management console. An infected video camera could allow intruders to monitor an environment and plan physical attacks as well as cyber attacks, explained Deepen Desai, director of security research at Zscaler. In a recent FBI bulletin to private companies, the agency warned that exploitation of connected devices to conduct attacks "will very likely continue," and some cyber-security experts warn that ransomware tactics may soon extend to IoT, locking critical devices until an organization pays a ransom. In the 2017 Black Hat Conference Attendee Survey, digital attacks on noncomputer systems ranked tenth on attendees' current list of worries; however, it was identified as the risk that they think will be their number one concern in two years' time. "The reality is that each and every one of those security cameras, network video recorders, and IP-enabled controllers are small computers—and as you add more computers and widgets to the mix, you greatly expand the surface of attack," explained Morin. If not deployed and maintained properly, networked-enabled operational technology, such as point-of-sale (POS) terminals, fire-suppression systems, video surveillance cameras, building control, and access-control systems, can provide hackers an avenue into an organization's network. "Connected devices offer great benefits, but you need to be sure these things are protected," said Bartolac. One issue is that manufacturers with a background in the physical security industry have traditionally built them, which means they focus on features important to building managers and may not give systems a thorough code review. Consequently, applications may not have been hardened against known software vulnerabilities to reduce or eliminate the risk of network attack. It seems illogical, but there has traditionally been very little focus on the security aspects of networking physical security systems. In a study of the typical components, communication protocols, and deployments for the most common physical security systems being put on the network, researchers concluded that "physical security systems are inherently vulnerable to traditional network-based attacks." The risk is something that retailers have started to recognize. "I'm seeing retailers making themselves more aware of the risks, probably because of the marriage of LP with IT," said Bartolac. "They're starting to look into what kinds of things can create risk and what kinds of solutions are appropriate, especially as systems are getting more complex." Still, only 30 percent of organizations say that managing third-party IoT risks is a priority for them, according to a 2017 survey by the Ponemon Institute, The Internet of Things: A New Era of Third-Party Risk. And the most basic of mistakes continues to provide hackers with a reliable way into company networks. "It blows my mind that some companies will keep out-of-box passwords for every device and never change them," said Bartolac. In a study presented at the 2016 International Workshop on Trustworthy Embedded Devices, researchers noted that 39.7 percent of cameras and surveillance systems analyzed on the Internet in 2010 were running with default credentials. "This basically means they are completely exposed to any kind of attack such as video-feed eavesdropping, malicious firmware updates, and DNS hijacking," concluded the study Security of CCTV and Video Surveillance Systems: Threats, Vulnerabilities, Attacks, and Mitigations. The researchers said the 2010 figure still accurately suggests "the scale at which video surveillance systems are exposed and vulnerable to cyber-security threats." To address this basic but persistent vulnerability, LP needs to ensure use of complex passwords that are rotated One issue is that manufacturers with a background in the physical security industry have traditionally built them, which means they focus on features important to building managers and may not give systems a thorough code review. Consequently, applications may not have been hardened against known software vulnerabilities to reduce or eliminate the risk of network attack. 18 SEPTEMBER-OCTOBER 2017 | LOSSPREVENTIONMEDIA.COM

Articles in this issue

Links on this page

Archives of this issue

view archives of LP Magazine - SEP-OCT 2017