IoT
2/28/2017
10:00 AM
Vince Ricco
Vince Ricco
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Zones of Trust: A New Way of Thinking about IoT Security

Recent attacks have focused attention on how to safely add "things"to enterprise networks, a topic that straddles IT and physical security. A zones-of-trust approach may be the answer.

Last year, when attackers hacked into more than 25,000 Internet of Things (IoT) closed-circuit TV devices and used them in a denial-of-service botnet attack, this question was asked in boardrooms everywhere: What would happen if hackers stole my organization's surveillance video? This and other attacks on vulnerable IoT devices have put the focus on how we can safely add these devices to enterprise networks, a topic that involves both IT and physical security.

What's the Worst That Can Happen?
Before considering an IoT surveillance video implementation, answer these questions: Why are you recording the video in the first place? What will happen if it gets stolen? 

We can put recorded video data into a few different buckets:

  • Bucket 1: People can die if you don't have your video, or other very bad things can happen.
  • Bucket 2: Nothing life threatening, but not good. You might lose money. A business process may get disrupted.
  • Bucket 3: Not a big deal.

The potential life-threatening outcome of the first bucket may seem extreme, but imagine a nefarious individual or group that manipulates and studies stolen video to understand the daily patterns of a company's VIPs. This personnel monitoring could be to kidnap for ransom, or to find the right time or location to plant a virus or Trojan on a target's computer or mobile device.

Also consider what happens if video is hijacked, or the wrong people can see the live streams from your IoT cameras. What if your video is compromised and unusable? How will that affect your organization? These are the foundational questions you must ask to determine how much cyber protection you should apply to the physical security of your networked components. But how do you prioritize securing these resources?

Zones of Trust
Looking at the most current cybersecurity trends for traditional enterprise architecture as well as IoT deployments, the architectural focus is moving toward "zones of trust." This approach entails mapping, or prioritizing planning and resources in a ring of zones based on the critical nature of the networked resources. The most critical zone is one in which people and resources would be damaged or injured if there is a breach (cyber or physical). 

In the most critical zone (death or injury), cyber threats can target operational technology such as traffic lights or environmental systems. Cybersecurity must be at its strongest, and physical security such as video or access control and environmental sensors must be able to detect anomalous behavior to detect hacks as well as non-malicious failures.

The next zone could be one where a breach could cause serious financial hardship or a significant disruption in business operations. The next zones follow in terms of inconvenience, down toward the inconsequential. This helps to frame risk with assets. In this planning concept, there are significant overlaps between both physical security and cybersecurity.

On the cybersecurity side, much compromise is being tilted in favor of "ease of use" for networked resources over cybersecurity measures that may be inconvenient for users. We also see a similar trend with physical security, including video surveillance and access control. Organizations are reluctant to appear overly intrusive in day-to-day life at work, in retail settings, and even in the public sector, such as government facilities.

If you apply zones of trust to physical security, you first must look at the value of the various assets you're trying to protect. This could mean senior executives or people with access to critical systems via their cyber credentials. 

You also need to monitor people and systems from an audio, visual, and access control perspective. You're not looking for bad actors within your organizations, but people with the ability to unwittingly inject malware into your systems.

Next, look at personnel, and which zones they fit in in terms of their monetary and intellectual property value. What physical security resources and prioritization do you give to people, your most critical assets? What is the threat of physical harm? How do you protect against this in the environments you control?

Organizations can protect against edge device (for example, video) threats in a number of ways, including changing credentials from defaults; creating tiered access (such as view-only rights for monitoring access); and using credential-based access for servers and storage. In this manner, organizations can protect the device from becoming an attack point.

The Need to Prioritize Video Data
It's important for IT organizations to understand that video is valuable data. As more video server and storage resources have moved to the network edge, cameras are targeted by attackers who seek to infect a corporate network with a virus or Trojan. Video can provide detailed information about personnel, locations, and procedures that surround high-level assets. Video feeds can be disabled or manipulated, leaving security teams effectively blinded or confused, putting an organization at risk of physical threats.

It can also be used to monitor and capture online passwords and monitor behaviors to be mimicked (e.g., computer repair services) to get closer to targets. This can be used to gain entry in the guise of a known person.

Given how valuable video data is, IT organizations should make it a priority to look closely at how video data is transmitted and stored on their network. This includes looking at who has what access rights, how policies are being enforced, whether the system is deployed and maintained properly, and whether there are clear roles of ownership.

A cybersecurity threat analysis focused on your video data will help determine if your organization's video systems need to be more secure.

It will take careful planning and prioritization of resources to keep assets secure. By using zones of trust, your organization can ensure that the most critical assets have the highest levels of protection.

Related Content:

Vince Ricco serves as a business development manager for the Axis Technology Partner Program, Axis Communications, Inc. Mr. Ricco works with IT hardware providers to showcase the company's network video surveillance solutions and educate the IT industry on the ongoing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8980
PUBLISHED: 2019-02-21
A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.
CVE-2019-8979
PUBLISHED: 2019-02-21
Koseven through 3.3.9, and Kohana through 3.3.6, has SQL Injection when the order_by() parameter can be controlled.
CVE-2013-7469
PUBLISHED: 2019-02-21
Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2018-20146
PUBLISHED: 2019-02-21
An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell.
CVE-2019-5727
PUBLISHED: 2019-02-21
Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has Persistent XSS, aka SPL-138827.