Back when they were common place, I recall going into my local bait and tackle store and seeing a display of fishing lures on the counter touting some super power or other that would almost guarantee you’d catch more fish. I asked Steve, the shop owner who I’d known for some years his opinion, and his reply has remained with me ever since. 

“You know what Simon, some lures are designed to catch fish, others are designed to catch fishermen. This one is designed to catch fishermen.”

This advice has served me well in the many intervening years, across many different sets of products. 

In the last few years, with cyber security becoming a concern at all levels of busienss, I am observing far too many decision makers failing to fully consider whether their security expenditure is the most suitable for their organisation. 

There are a number of broad questions that should be asked with any security investment, cyber or otherwise, that will assist in evaluating any expenditure. 

What problem does it solve or what risk does it mitigate for my organisation? 

In the physical security world, we’d find it laughable to deploy a team of Ghurkhas, SEALS, and SAS soldiers to stop kids sneaking in alcohol into a party. Same principle in cyber security – just because a product solves a problem, is it a problem that you need to solve? If you’re not a target for state sponsored hackers, then maybe an APT detection product isn’t the best solution for you. 

Across the spectrum of risks that my organisation faces, does this address a high priority risk or a low priority risk?

Similar to the previous question; is this the best, or at least a good use of my organisation’s resources. Start with the basics. Ensure you have systems and processes in place for patching, identity and access management, encryption, data classification, perimeter security etc. If you have internet connected devices with default credentials or known vulnerabilities, then maybe you should address this before you worry about real time network forensics. 

Can I do something with the output that this solution provides?

There’s a world of difference between information and intelligence. If a solution gives you information that you don’t have the ability to action, does it add any value? Once you know someone from China or Russia has logged into your systems, do you have the ability to assess whether it is genuine or malicious, then block or remove them if it is malicious?

What am I protecting, and why?

Your systems, your processes, and your information all have a value to your organisation. How much value does the solution you are considering protect? A solution that prevents your manufacturing systems going offline for days or weeks may protect a great deal of value, whereas data leakage prevention for information that’s available from your public facing web site less so. 

How does this fit in with my overall security strategy?

As an organisation’s security posture matures, though ideally for all organisations, there will be a security strategy that identifies risks, priorities, and opportunities in the business context. Does this solution align with and assist with progressing that strategy?

Will it integrate with my existing tool set?

If you already have security tools and systems in place, the ability to integrate a new solution into your existing environment is an important consideration. If a product is going to result in a disparate set of notifications that reduce the likelihood of them being actioned correctly, is there a product that will better integrate, or has the cost to integrate been allowed for?

How will it be supported?

It’s all well and good to have the latest, greatest products, however for technology to be effective, it requires support, maintenance, and updates in order to remain effective. Has support; both availability and expense been evaluated as part of the product assessment? What is the product support lifecycle, and will it be adequately supported for as long as you are expecting it to be in use?

There are of course all the other questions to ask as should be the case with any expenditure such as “Can I afford it?” and “Is this the right vendor?”

So, next time your preparing to spend your hard-earned cash on a security solution, just remember to question whether they are fishing for fish or fishing for fishermen. 

If you would like some assistance improving your cyber security get in touch with us today.

Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology).

Simon Pollak is the principal consultant at STSC

You can follow him at https://au.linkedin.com/in/simonpollak  

This article was first published in Issue 6 of Australian CyberSecurity Magaxine

With Cyber attacks on CCTV systems making news headlines on a weekly basis of late, there is a good deal of concern and uncertainty about how at risk these systems are, as well as why they are being attacked. In this article, we take a closer look at some of these attacks; how they are carried out, the likely motivations behind them.

Canon Cameras in Japan  – For the LOLZ

What happened? In May, 2018, over 60 Canon cameras in Japan were hacked with “I’m Hacked. bye2” appearing in the camera display text.

How did the attack take place? IP Cameras were connected to the internet and were left on default credentials. It appears that the hackers logged into the cameras and changed the on screen display.

What was the impact? Other the defacement of the camera displays and some reputational damage, there doesn’t seem to have been a good deal of impact of the attacks.

What was the attacker’s motivation? The most likely explanation was they did it for the LOLZ, a hacker term implying the attack was done for laughs, however there’s no guarantee that this wasn’t cover for a more sinister attack

How bad could it have been? Whilst this sort of attack is relatively innocuous, having a hacker gain control of a network device can have catastrophic impacts. Once a hacker has gained control of a device, they could use the camera for hostile reconnaissance, they could inject their own video stream in a Mission Impossible style attack, or they could use the device to pivot into other devices on the same network all of which would make for a really bad day.

Mirai BotNet of Cameras and DVR’s  – Free computing

What happened? In October 2016, 600,000 internet connected cameras, DVR’s, routers and other IoT devices were compromised and used to for a massive Bot Net to launch what was the largest Denial Of Service (DOS) attack the internet had experienced to date.

How did the attack take place? Yet again, devices were left connected to the internet and were left on default credentials. In this case, the attackers developed software that scoured the internet searching for vulnerable devices, which they then took control using their own malicious software.

What was the impact? The Mirai attacks significantly compromised the internet resulting in Dyn, one of the largest service providers going offline and taking many web sites offline including Twitter, Amazon, and Netflix.

What was the attacker’s motivation? The perpetrators of Miriai were charged with conspiracy to violate the Computer Fraud and Abuse Act in the US courts in Anchorage. It turns out that they were a group of college students who ran a Minecraft server and they had built the Bot Net to degrade the performance of competing servers in order to gain more users for their service. They have been sentenced to between five and ten years in prison and fined up to $500,000.

How bad could it have been? Once the Mirai source code was released into the wild, there were many variants developed including Bricker Bot that similarly scoured the internet then bricked devices so that they had to be factory reset to regain control and functionality. A more determined attacker could have done far more damage to the devices or launched more damaging attacks using the same techniques.

A friend of the US hacks back against the Russians – Targeted Attack

What happened? In 2014, a US ally observed a malicious actor attacking the US State Department computer systems. In response the NSA traced the attacker’s source and infiltrated their computer systems gaining access to their CCTV cameras from where they were able to observe the hackers comings and goings.

How did the attack take place? Not surprisingly, details of the hack back have been withheld from media coverage. Given this was carried out by professionals, we can assume that the attack was both sophisticated and stealthy.

What was the impact? For the Russian hackers who were identified, this will have put a damper on any travel plans they may have as they are likely to be arrested if they holiday in a country with an extradition arrangement with the US.

What was the attacker’s motivation? In this instance, the hackers are the good guys so they carried out the attack in order to defend their systems.

How bad could it have been? If the attackers hadn’t been on the right side of the law, and their target had been a bank, a celebrity, or any place that privacy is important, the attack could have caused a lot of harm.

Washington DC CCTV System Infected – Ransomware

What happened? In the lead up to the 2017 US Presidential inauguration, 65% of the recording servers for the city of Washington CCTV system were infected with ransomware.

How did the attack take place? Whilst unknown, it most likely occurred by the same means as other common PC hacks such as infected USB keys, malicious web sites, or phishing attacks.

What was the impact? The system administrators had to wipe the infected systems and reinstall the Video Management System so it’s entirely possible a good deal of footage was lost and the system was rendered inoperable for a period of time.

What was the attacker’s motivation? As with any ransomware attack, the attackers motivation is to hold the compromised system to ransom and only restore control once the ransom has been paid. It is important to note that ransomware can be used to conceal more malicious or targeted attacks by keeping defenders distracted combatting the more visible attack.

How bad could it have been? Whilst functionality was restored, we may never know just how much important footage was lost or what other systems could have been compromised.

What lessons can we learn from these attacks?

Don’t connect your devices directly to the Internet If you need to have a camera or CCTV system be remotely accessible, port forwarding all inbound traffic to your system is just asking to be attacked. Use a VPN, use non-standard network ports, enable two factor authentication, or use a remote access service. Whilst these measures won’t guarantee your security, they will certainly make you less of a target for attackers that are scouring the internet for vulnerable systems.

Change Default Passwords. It’s like the road safety advertisements from the 1990’s which asserted that “If you drink and drive, you’re a bloody idiot”

Same goes for credentials:           “If you don’t change the passwords, you’re a bloody idiot”

Don’t forget that it’s a computer. Just because it connects to a bunch of cameras, doesn’t mean that your NVR isn’t a computer. All the cyber security advice that is applicable to traditional IT is just as applicable when said computer is used as part of a CCTV system

Whilst we aren’t seeing the flood of attacks that have been predicted in CCTV systems, they are a ripe target. If a determined attacker starts attacking these systems, there will not be the time to remediate very many of these systems before the damage spreads.

If you would like some assistance improving your security get in touch with us today.

Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology).

Simon Pollak is the principal consultant at STSC

You can follow him at https://au.linkedin.com/in/simonpollak  

This article was first published in the August 2018 issue of Security Insider

You know that moment in a wildlife documentary, the one where the lions identify the slowest buffalo in the herd, then launch their attack. Have you ever stopped to consider what it’s like to be that buffalo? You weren’t always the slowest. Once upon a time, there were other, slower buffalos, however they’ve been picked off over time, or they’ve become smarter, or faster, till the only thing standing between those lions and their lunch is your ability to escape.

Cyber Security is a lot like that, with cyber criminals targeting whichever industry makes for the easiest pickings, and as various industries improve their security posture, the criminals move onto to the next easiest targets.

Right now, real estate seems to be the slowest buffalo in the herd. Before that construction, maritime, and healthcare were being targeted until they improved their security posture.

In the attacks currently targeting real estate and conveyancing, cyber criminals are inserting themselves in the middle of email conversations and online transactions to modify bank account details when settlement funds are being transferred.

The process isn’t all that complicated, or all that sophisticated, the attacker takes control of the conveyancer or selling agent’s email account, creates a rule to move any emails relating to a particular transaction then modifies bank account details and responds as though they are the conveyancer. The funds get deposited into the hacker’s bank account and the crime is only detected when the funds fail to appear in the receiver’s bank account.

Be it because we’re hidden by the rest of the herd, or because there are juicier targets than us, the physical security industry has been relatively untouched by targeted cyber-crime thus far.

As an industry, there tends to be a lack of understanding of cyber risk, a general failure to consider ourselves to be a target for attack, and a “she’ll be right mate” attitude. All of this has left us well and truly stuck in the cyber dark ages.

The buffalo model has three components – the lion, the buffalo, and the delicious buffalo steak dinner, or said another way, an attacker, a victim, and a prize.

The Lion

Like the lion, financially motivated cyber criminals don’t really care who their target is, their concern is the size of the payoff, the amount of effort required to achieve that payoff, and the risk of harm.

There’s some great work being done by law enforcement and government to take down criminal organisations, however as potential victims, there’s not all that much we can do to prevent them carrying on their criminal activities.

The Buffalo

Whilst we can’t change the fact that there will always be lions, there is a lot that we can do to prevent them from attacking us.

First and foremost, the physical security industry can make sure that it’s not the slowest buffalo. 

There is a lot that individual organisations can do to improve their security posture, but unless the physical security industry as a whole; manufacturers, software vendors, consultants, integrators, guards, installers, and end users agree that cyber security is important, and a fundamental requirement from end to end of the supply chain, we risk becoming the slowest buffalo.

Secondly, just like in the wildlife documentaries, sometimes, the buffalo kicks and runs and fights back and eventually escapes, so even if your organisation is targeted, hopefully, your defences will hold up.

It’s well beyond the scope of this article to create a cyber security program, and every organisation’s requirements differ, however the first step that every organisation should undertake is an assessment of their cyber risk.

Some of the elements to consider are:

• What sensitive information does your organisation hold?
• What value would that information have if it was obtained by a criminal entity?
• What would the impact to your organisation be if access to that information was lost?
• What are your essential IT systems – both traditional IT, and operational technology?
• What legislation such as the Australian Notifiable Data Breaches (NDB) scheme and the European General Data Protection Regulation (GDPR) must you comply with?
• Do you have, and would you benefit from cyber insurance?
• What protections do you have in place for your information systems?
• Who is responsible for protecting your systems?

All of this is traditional risk management, which most security professionals are familiar with, just applied in a different domain.

Take the time to assess your cyber security risk then engage with a cyber security professional to design and deploy appropriate cyber security protections for your organisation.

The delicious buffalo steak

Whilst the physical security industry may think it is not an appealing target for hackers, that’s not the case. Some of the information that attackers may be interested in include:

• Site details such as names, addresses, alarm codes, rosters, site orders, and stand down passwords – all very useful if someone want to break into a site.
• For technical security providers and consultants; as-built drawings and design documents detailing all the security technology at a particular site.
• Lists of master and installer codes and passwords.
• Upload / download software which would allow the exfiltration of codes or the addition of back door credentials.
• Client and employee information.
• Contracts, tender documents, and other commercially sensitive information

As well as sensitive information, there are the complex technology platforms that support our security operations. Whilst patching and software updates are key protective measures, there is a lot of security software still in use that won’t run on modern operating systems, or for which there haven’t been any updates for many years. Legacy operating systems and outdated software typically have poor defences against malware. If a guarding company’s roster and wand software system was held to ransom, what would the impact on operations and billing be?

Finally, there’s financial crime – most often via Business Email Compromise and invoice fraud. I’m sure there are many organisations who will update bank account details without any out of band validation. As is currently playing out with payment fraud in real estate, liability and responsibility can be a very vague in these instances.

Does it really happen?

Cyber crime can and does happen; each and every day of the week

In 2017, a Melbourne construction company lost $100,000 when their invoice was intercepted and modified en route to a client who paid the invoice into the fraudsters bank account.

Also in 2017, a major Canadian company was forced to pay $425,000 to restore its computer systems after suffering a crippling ransomware attack that not only encrypted its production databases but also the backups as well.

In a little under ten minutes, NotPetya spread throughout the IT systems of global shipping organisation Maersk, requiring the rebuilding of 4,000 servers, 45,000 workstations and costing the company around $300 million.

In June 2018, a Melbourne family lost $250,000 from the sale of their house after settlement details were edited in a compromised email account.

What next?

At the moment, we’re watching other industries get picked off, suffer varying losses, then improve their security posture.

We can either continue on our current trajectory, wait until the physical security industry gets targeted, then wring our collective hands; or we can pay heed to the circling lions.

I recommend the latter, but to do so will require a previously unseen level of co-operation across all levels of industry from manufacturer and developer to end user

Cyber Security is a lot like that, with cyber criminals targeting whichever industry makes for the easiest pickings, and as various industries improve their security posture, the criminals move onto to the next easiest targets.

If you would like some assistance improving your cyber security get in touch with us today.

Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology).

Simon Pollak is the principal consultant at STSC

You can follow him at https://au.linkedin.com/in/simonpollak  

This article was first published in the August/ September 2018 issue of Security Insider