An ethical hacker discusses the often overlooked cybersecurity of access control technology and ways to protect your organization.
A while back, Valerie Thomas was doing a lot of network-based penetration testing. She was in and out of a lot of places – critical infrastructure, government, and enterprise. She kept finding devices on the network and didn’t understand what they were. In fact, no one on the IT side really understood what they were – and the people installing them didn’t really understand what they were doing on the network.
These things were connected physical security components – things like connected door controllers, access control solutions, and video surveillance systems. A decade ago, the people that owned the systems knew that integrators were coming in and connecting them. They didn’t object or really inquire as to why they were connected and how that would affect the network. Valerie sought to find resources to help her clients understand the security risks of these devices – but at the time none were available.
We’ve come a long way since then, in part due to people like Valerie Thomas. Valerie is today known as an Ethical Hacker for Securicon, and further segments herself as an enthusiast for physical security that prides herself on holding the border between the digital network and the physical security systems connected to it.
Today it’s important to shift your view of what an attack is — it’s not only physical, and it’s not only cyber, but it’s blended. Hackers don’t focus on one thing,
they focus on several, and they blend them together until they get what they want.
They’re also slow, and quiet. While television will lead you to believe otherwise, real access to a network isn’t gained in an hour. These types of attacks take weeks, months and even years.
End users struggle with this blend of physical and cybersecurity for a number of reasons. One of the big reasons is that the security decision maker doesn’t always have the IT background required to understand the network. On the flip side, IT departments often have little experience with physical security systems.
“I have been going out and talking to a lot of IT and cybersecurity consultants at conferences, and teaching them about physical access control and how to merge these two worlds,” says Valerie. “We don’t speak the same language. We don’t really operate at the same pace. There are a lot of challenges there — even just the knowledge base is different. When you say something like VMS in physical security, that means something so different to someone in IT.”
Folks in IT and cybersecurity are used to quick patch cycles, quick responses. They’re continually patching, updated, fixing — it really depends on what’s going on that day. If there is a vulnerability, they’re on it. If you look at the physical side — in this case, the components — once the stuff is deployed, they aren’t touched very often. There aren’t very many updates. Integrators don’t always tell end users to update, and end users don’t always ask integrators if they’re needed.
The physical security industry is being targeted quite often. Worse still, manufacturers that once required no network connectivity are rushing to introduce products that their customers are looking for — overlooking or flat ignoring security concerns along the way.
To compound that, regulations have only just started being introduced on security standards for smart devices. It’s a bit of a perfect storm for organizations that just want a CCTV system that doesn’t cripple their business through a cyber attack.
How Attackers View Access Control Cybersecurity
Sometimes the easiest way to attack a system is to have physical access to it. The difference between total control is minutes to hours when the attacks can physically reach the device or network.
In addition, gaining credentials of one of the owners of