Looking for Vulnerabilities in All the Right Places? Experts Think you Might be Missing a Few...

Source -- DarkReading

By Keith Ferrell, Contributing Writer
DarkReading

 

The biggest vulnerabilities in the enterprise might be items we see every day -- and just don't think about.

Experts say that vulnerability assessments often overlook the everyday dangers: Network-attached devices that aren't computers. Paper documents. Passwords posted in plain view. Portable storage devices.

Most of these are technologies that would never be taken into account by a traditional vulnerability scan. Yet they could lead to data leaks just as surely as a keylogger or a data-stealing Trojan, experts say.

"Peripheral devices on the network may have capabilities the business doesn't know of," says Kevin Brown, delivery manager for custom testing at security assessment firm ICSA. "And those capabilities can create security vulnerabilities."

Printers, fax machines, and multifunction devices with persistent storage could all serve as entry points for a sophisticated hacker, Brown observes. And the presence of internal storage might not be clear at first glance, nor does it necessarily show up on traditional security audits.

"An automated vulnerability scan may not reveal which printers and other hard copy devices have hard drives," Brown observes. "As a result, the business isn't aware that digital copies of sensitive information may remain in the printer."

A thorough vulnerability assessment should include examining all hard copy devices for internal storage capability -- this could require contacting the manufacturer or even opening the machine, Brown says.

Enterprises also should take steps to ensure that digital files are wiped from these devices as soon as the hard copy is produced or the fax transmitted. This could mean purchasing and installing additional software from the manufacturer.

Other network-attached devices could also be vulnerable, Brown observes. "Any device connected to the network needs to have its security validated," he says.

He offers security cameras as an example. "For cost-saving and other reasons, companies have shifted security cameras from dedicated coaxial cable connections to TCP/IP connections, which run the risk of being vulnerable to cross-site scripting attacks and remote control takeover."

Even backup power devices might be at risk, Brown warns. "UPS devices connected to the network could enable an attacker to take control," he says.

Brown offers three bits of advice for all network-attached devices. "The biggest risk is leaving the default password in place," he says. No matter the device and its purpose, he advises, users should change its password before connecting it to the network.

"Second," Brown continues, "review all of the features that the device offers. Web printing capability may not be useful as a business function at your company, but it could be very useful to an attacker."

Finally, he points out that maintaining security readiness on peripheral devices is an ongoing process.

"Incorporate all devices into your patch cycle," he says. "We're all familiar with Microsoft and Cisco patches -- but when was the last time you upgraded the firmware on your printer? Seek out patch information on every device connected to your network, and incorporate them into your patching cycle."

Many of these office devices produce a lot of paper -- paper which, as security consultant Steve Stasiukonis of Secure Network Technologies points out, can be a vulnerability itself.

"Take a look at your copier station," Stasiukonis says, noting that many companies overlook sensitive material that might be found in unsecured places. Recycling bins or preshredder collection stations holding unshredded materials can be rich sites for information-miners, he notes.

Documents that aren't shredded could be the cause of a data breach, as a recent New Jersey incident revealed when papers containing Social Security numbers and other personal information were found in a public dumpster.

"And don't forget the amount of paper and other sensitive information on employees' desks," Stasiukonis advises.

A workplace walk-through -- even in a "clean desk" environment -- can often reveal security badges and swipe-cards laying in plain sight, ripe for the taking, Stasiukonis explains. In his physical penetration tests, Stasiukonis frequently also finds passwords and log-ins on sticky notes and keyrings hanging from thumbtacks in cubicles.

Even if you don't see anything at first glance, Stasiukonis suggests, look a little closer. "Have your employees turn over their keyboards for inspection," he suggests, noting that many users stick their passwords there for easy recall.

Stasiukonis also recommends checking devices, such as copiers, for default service tech passwords, which might remain in place even if the business has changed its own access and log-in codes.

"Check to be sure that security cameras haven't been repositioned," he adds. "Scan for infrared devices. Examine the security not only of IT administration notebooks, but also physical plant management and control notebooks. Beyond that, an examination of the contents of employees' desks can reveal treasure chests of vulnerabilities.

"But," he cautions, "before going into employees' desks, you should review your plans with your human resources department." Whatever your company's legal rights, many employees resent having their desks checked, so be sure to educate them before conducting a search, he explains.

Another vulnerability vector -- and in many ways the most common one -- is human nature.

Security professional Scott Wright's Honey Stick Project put human nature to the test by leaving specially prepared USB drives in plain sight. When one of the drives was inserted in a business device, the information was logged, revealing what the user had done.

Such behavior is typical, according to Wright. As he notes on his Streetwise Security Zone site: "Out of 54 devices dropped with specially configured -- but safe -- files on them, the Honey Stick Project has detected that at least 35 of these devices have had files opened."

Vulnerability-scanning tools are a good place to start, but they can't see the whole enterprise, the experts warn. To find all of your vulnerabilities, you'll need to look at the things your users see every day -- in a new way.

The Pelco DX Series, Doing More for Less... Part 1.

For many years and countless hours of around-the-lock operation, the Pelco DX Series of DVRs has been relied upon to protect people and property in thousands of location worldwide. From basic video security systems with just a few cameras, to fully distributed network video systems, the DX Series is the perfect digital recording solution to meet most any video recording need.

The DX Series begins with the DX4100. These affordable, entry-level DVRs eliminate the need for the traditional VCR/multiplexer/matrix combination. Offering four-channel models with internal storage capacity of up to 2 tb, the DX4100 series is designed to guard your business while protecting your bottom line. The hallmark of the DX4100 series is its ease of operation. These systems feature simple installation, are ready to record right out of the box, and have an easy-to-use and intuitive user interface which makes training and support a snap.

ISONAS' Crystal Matrix at a glance.

Easily Support Seasonal Schedules with ISONAS Access Control System

source: ISONAS

Are some of your clients affected by seasonal changes to their facility's schedules?

Seasonal variations are common for organizations such as:

• Schools and Libraries
• Park Districts
• Amusement Parks
• Sports Facilities
• Churches
• Recreation or Tourism Business

Many of these organizations will wnat to pre-plan and pre-program the upcoming schedules into their access control system, so that the schedule's transition times are seamless and worry-free. The Crystal Matrix application supports these types of requirements with the Permission Groups feature.

Crystal matrix Permission Groups for Schools

A high school might use the Permissions Group feature of Crystal matrix to schedule the full summer activity sessions before the end of the school year. Prepare the system for band camp, 2-a-days football practice, teacher development workshops, and adult education seminars. All pre-planed and pre-programmed before the school's staff begins its summer break. As the summer calendar progresses, the access control system automatically adjusts the system's business rules to allow the proper people into the school, at the proper times.

Click here for more details on this solution

Understanding how to use Crystal Matrix Permissions

To effectively use the Crystal matrix Permission Groups feature, you shoul dhave a solid understanding of how Permissions are defined within the system. Below are links to short training videos that explain the process of setting up Permissions within the ISONAS system.

Basic Crystal Matrix Configuration

Advanced Crystal Matrix Configuration 

The Clash of the Titans; Physical Security and IT Security

IT departments are no strangers to turf wars, but is the one shaping up between those overseeing computer networks and those in charge of physical security about to get really ugly?

Unlike past tussles between say, voice and data communications teams, the contest between IT security and those involved in everything from fire alarms to video surveillance to door-lock access controls tends to involve people who might never have had any reason to cross each other's paths.

Converging physical and logical security: A good idea or not?

"It typically takes a C-level executive to force these organizations to work together," says Tom Flynn, director of marketing in North America for smart-card maker Gemalto. "The fact is there are different entities in a corporation for physical and logical security… We see turf wars happening."

Merging physical and logical security is seen by advocates as a cost-saving step and a natural evolution for facilities maintenance and guard operations, where door-access equipment and video cameras are increasingly IP-enabled, and a smart card-based badge could be used by employees to access both buildings and computers. But resistance to convergence runs deep among traditional physical security managers, who are wary of IT departments taking control. And even IT security experts voice concerns that it's risky, with some strongly opposed to the idea of physical security operations, such as video surveillance streams, riding on the same IP corporate network as the rest of the business.

"Physical security has been about closed systems, but with the move to IP-based systems and connecting campuses there's the need to have the IT and security department involved," says Steve Russo, director of security and privacy technology at IBM's global technology services group. He says there can be advantages in integrating physical security with logical and transactional systems to give management a better picture of what's occurring, especially in retailing. And although network capacity is a concern, it's possible to share an IP network for logical and physical security, he suggests.

"Is there a risk associated with combining it? Absolutely," Russo acknowledges. But he adds: "The logical-security people are looking at threats to the environment. And where we see the interesting spark is that they can take information about physical events and turn it into operational use."

But there's often a cultural rift existing between the physical security department for facilities management, with their isolated closed networks, and the IT department with its systems administrators and security specialists trying to keep scores of Internet-accessing computers and applications running safely.

"With IP-based access control, the 'turf wars' tend to be marginalized once the IT folks realize that a system like ISONAS' PowerNet reader is actually a network appliance," says Steve Rice, Vice President of Sales and Marketing for Colorado based ISONAS Security Systems. "It demands little in the way of network capacity, resources to install and can be supported like any other IP device. The benefits of integrated video, access control and/or other building control systems include a combination of additional detailed information available from a set of closely integrated functionalities (ex. have a picture of personnel involved in an entry event plus network confirmation of the credential information timed exactly to the video feed) as well as the simplicity of dividing what functionality to integrate on a customer by customer basis. This is due to the relative ease of integration with a true network software-based system. So the physical security requirements are met with a minimum of IT resource."

These differences in viewpoint are often heard in the physical-logical security convergence debates. But one of the most ardent advocates for convergence might be Ray O'Hara, executive vice president of international operations, consulting and investigations at Andrews International, which is in the traditional physical security business of "guns, gates and guards," as he puts it.

"The traditional security person and the cyber-security side are both hands-on and doing things for the betterment of the organization," says O'Hara, who recently became president of the board of directors of ASIS International, an organization for security professionals.

But today the physical-security technologies are evolving to the point where "the traditional people need help from the IT people," O'Hara says. There is often discord and mistrust between the physical and logical security divisions. But that needs to be overcome by possibly combining reporting structures so they can more easily collaborate or by setting up a "risk council" to have regular discussions with business managers, he suggests.

IBM's Russo says protocol issues point to the need for standardized compression techniques and transport in physical-security equipment, as well as standard XML-based definitions so that important meta-data can be shared. "Physical security is transitional right now," Russo says, pointing to both the Physical Security Interoperability Alliance and OASIS as organizations trying to further interoperability standards that would add convergence and make it worthwhile.

But to date, Flynn says he is only aware of a handful of large enterprises in the oil-and-gas industry, such as Chevron and Exxon, and pharmaceutical giants such as Pfizer, that have adopted converged smart cards for physical and logical security.

Financial Security Solutions with Simons-Voss

Whether it is the system, an organization, or people, your world revolves around integrity and verified trust.

It used to be that a brass key was a powerful symbol of trust and protection, bu tin today's world most brass keys are easily duplicated and the locks that depend on them are easily fooled or bypassed. On top of that, managing these keys is expesnsive and the functionality of the keys is very low. Depending on mechanical keys to protect your responsibilities in today's world is like telling your customers that their mattress is a good place to keep their money.

Fortunately SimonsVoss has locks that are as sophisticated as today's financial instruments.

With a wide range of products for various applications you never need to modify the door or frame and yet you end up with a sophisticated electronic lock that can control access by time and day while tracking all usage. Even better, the credentials use an encrypted challenge-response wireless signal that cannot be duplicated or successfully recorded and replayed.

Important Concerns

• High cost of frequent re-keying.
• Keys are easily copied or duplicated.
• No record of which key was used or when it was used.
• No control of when keys may be used.
• Aesthetics are important to provide a warm inviting atmosphere to customers
• Leased facilities, temporary needs for security.
• ATM kiosks and small remote offices.

SimonsVoss Benefits

• Re-keying accomplished with the click of a mouse.
• Transponders are very hard to duplicate and very secure.
• SimonsVoss loicks provide an audit trail so you can see who used the lock and when that access was granted.
• All SimonsVoss locks and credentials can be limited to specific times and/or days at your discretion.
• SimonsVoss locks look like standard locks. No need to advertise your security precautions with big, ugly industrial-looking locks.
• Remove the mechanical lock, apply the SimonsVoss solution. When the need is over replace the mechanical lock and use the SimonsVoss lock for the next need.
• Standalone or networked, the SimonsVoss wireless solutions makes it easy to implement solutions for these applications.

The best news of all is that these locks can be deployed one at a time as standalone solutions or combined under a centrally controlled network so you are not limited by applications that are too small or large to benefit from this solution.

Digital Mortise Cylinder

• The Digital Mortise Cylinder puts electronic access control into the mortise cylinder. Now you can remove the mechanical mortise cylinder and replace it with a digital cylinder.

Digital RIM Cylinder Exit Bar Outside Trim

• The Digital RIM Cylinder puts electronic access control into the RIM cylinder. Now you can apply a digital lock cylinder in many applications where a RIM cylinder is required.

Digital Mortise Cylinder Aluminum Frame Door Lock

• This gives you control over who has access, when they have access, and can track that use for later reference. You can even remove access for a user without their credential being present.

Smart Relay Mag Locks/Cabinets

• Barriers, gates, rolling gates, automatic systems, revolving doors, elevators and alarm systems don't need to exist as separate entities.

SV1C Cylindrical Lock Office Doors

 

• The SimonsVoss SV1C Digital Cylindrical Lock can be applied anywhere a standard commercial cylindrical lock is used without additional holes or wires. 

 

Scripting and the ISONAS System.

source: ISONAS

Script Programming supports Customized Actions

• Is there a need to have your ISONAS system initiate multiple advanced actions under certain conditions?

• Do you or your customers wish to receive email notifications when doors are left ajar or when ex-employees are attempting to re-enter the facilities?

These types of project requirements can easily be met through the Script Programming features application suite. Select the events you wish the system to monitor, and then specify what additional actions you would like the system to take when these events occur.

Schools Locking down their Facilities

 

A common use of Scripting is to configure the ISONAS system to place the exterior doors of a school into lock-down mode, when the administrators of the school require it. Scripts can be initiated in many ways, including by the use of specified credentials, or through the activiation of emergency mushroom buttons.

Additional common usages of scripting include the activation of the building's alarm system, or unlocking all entrances to a facility when a special event is beginning.



Email Notifications

Emails can be generated by the Crystal Matrix system, throught he Scripting feature. Example uses of the email notifications would include being notified of a networking failure, or being notified of an after-hours attempt to enter the facility.

Click here for more details on this solution.

Click here to visit the Kondor Security ISONAS page.

Click here to visit ISONAS.

ISONAS Is A Green Technology Product

ISONAS, the World Wide leader in IP Access Control Systems, recognizes the PowerNet™ as a Green Technology Product.

Green building is as much about design strategy as about selecting eco-friendly materials.

Integrated design is thinking about how a building works as a system, and designing that system to be environmentally friendly is a key part of green building. Certain products, particularly those that deal with energy, can be used in ways that enhance the environmental performance of a building. The ISONAS PowerNet™ Access Control System can be used in any building type, and through its BACNet and OPC interfaces can integrate seamlessly with Building Automation applications.
Reduced energy usage, which also reduces carbon dioxide emissions and your energy bill, is one of the most effective green strategies for business. The PowerNet IP Reader from ISONAS uses PoE (Power over Ethernet) to power the reader and the associated door hardware. This provides the lowest possible energy cost for powering an Access Control system.
Eco-friendly materials are used in the manufacturing of ISONAS Reader-Controllers. ISONAS is certified with RoHS, a standard banning the general use of six hazardous substances including lead and mercury. ISONAS has also taken the strategy of using green materials in its packaging and shipping of its products.
The smallest manufacturing carbon footprint of any Access Control system is made possible by the panel-free nature of the PowerNet series. Combined with a single Cat 5 cable for installation versus the multitude of copper wiring required by alternative Access Control systems, the ISONAS PowerNet is the cleanest, most sustainable Access Control system in the world.
Low impact manufacturing means that ISONAS creates inventory based on consumer demand. With the ability to access and analyze real-time demand signals, ISONAS is one of a growing number of companies moving from push to pull manufacturing. By nature, this not only eliminates excess inventory, thereby reducing waste, but it also decreases carbon emissions as it relates to the creation of products and materials.
No Paper Waste is the ISONAS philosophy. As an IP product manufacturer in the electronic age of technology, marketing materials as well as technical manuals are created electronically and posted on our website available to everyone in PDF form. By making technical manuals, marketing materials and catalogs easily accessible on our web site, ISONAS does not waste paper on needlessly printing excessive paper-based documents.
Localized Manufacturing ISONAS is based in Boulder, Co, where its PowerNet Readers are manufactured for the North American market. Off-shoring models of the past are increasingly being replaced with more efficient “right-shoring” models, as the risks and costs associated with manufacturing at long distances from one’s customers continue to surface. Longer lead times, increased fuel costs, larger carbon footprints and excess inventory are causing companies to re-examine where and how much they outsource. With the ability to analyze the various factors driving costs and environmental impacts, companies can create balanced plans that are both cost-effective and environmentally friendly. ISONAS is committed to manufacturing as close to its end user base as possible.

About ISONAS Security Systems, Inc. Since 1999, ISONAS Security Systems has provided advanced, Internet Protocol (IP) Access Control solutions for customers who require the superior, real-time access control enabled by a true network appliance. ISONAS is the first and leading developer of IP-at-the-door reader-controllers. Driven by its Windows-based Crystal Matrix Software™, ISONAS products are easily integrated with other network based systems, providing the most advanced physical access security for buildings and workplaces worldwide, across a wide range of industrial applications.

Thanks for visiting Kondor Security and remember, if you can't find it at first glance, you're more than welcome to contact us.