Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/28/2017
10:00 AM
Vince Ricco
Vince Ricco
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Zones of Trust: A New Way of Thinking about IoT Security

Recent attacks have focused attention on how to safely add "things"to enterprise networks, a topic that straddles IT and physical security. A zones-of-trust approach may be the answer.

Last year, when attackers hacked into more than 25,000 Internet of Things (IoT) closed-circuit TV devices and used them in a denial-of-service botnet attack, this question was asked in boardrooms everywhere: What would happen if hackers stole my organization's surveillance video? This and other attacks on vulnerable IoT devices have put the focus on how we can safely add these devices to enterprise networks, a topic that involves both IT and physical security.

What's the Worst That Can Happen?
Before considering an IoT surveillance video implementation, answer these questions: Why are you recording the video in the first place? What will happen if it gets stolen? 

We can put recorded video data into a few different buckets:

  • Bucket 1: People can die if you don't have your video, or other very bad things can happen.
  • Bucket 2: Nothing life threatening, but not good. You might lose money. A business process may get disrupted.
  • Bucket 3: Not a big deal.

The potential life-threatening outcome of the first bucket may seem extreme, but imagine a nefarious individual or group that manipulates and studies stolen video to understand the daily patterns of a company's VIPs. This personnel monitoring could be to kidnap for ransom, or to find the right time or location to plant a virus or Trojan on a target's computer or mobile device.

Also consider what happens if video is hijacked, or the wrong people can see the live streams from your IoT cameras. What if your video is compromised and unusable? How will that affect your organization? These are the foundational questions you must ask to determine how much cyber protection you should apply to the physical security of your networked components. But how do you prioritize securing these resources?

Zones of Trust
Looking at the most current cybersecurity trends for traditional enterprise architecture as well as IoT deployments, the architectural focus is moving toward "zones of trust." This approach entails mapping, or prioritizing planning and resources in a ring of zones based on the critical nature of the networked resources. The most critical zone is one in which people and resources would be damaged or injured if there is a breach (cyber or physical). 

In the most critical zone (death or injury), cyber threats can target operational technology such as traffic lights or environmental systems. Cybersecurity must be at its strongest, and physical security such as video or access control and environmental sensors must be able to detect anomalous behavior to detect hacks as well as non-malicious failures.

The next zone could be one where a breach could cause serious financial hardship or a significant disruption in business operations. The next zones follow in terms of inconvenience, down toward the inconsequential. This helps to frame risk with assets. In this planning concept, there are significant overlaps between both physical security and cybersecurity.

On the cybersecurity side, much compromise is being tilted in favor of "ease of use" for networked resources over cybersecurity measures that may be inconvenient for users. We also see a similar trend with physical security, including video surveillance and access control. Organizations are reluctant to appear overly intrusive in day-to-day life at work, in retail settings, and even in the public sector, such as government facilities.

If you apply zones of trust to physical security, you first must look at the value of the various assets you're trying to protect. This could mean senior executives or people with access to critical systems via their cyber credentials. 

You also need to monitor people and systems from an audio, visual, and access control perspective. You're not looking for bad actors within your organizations, but people with the ability to unwittingly inject malware into your systems.

Next, look at personnel, and which zones they fit in in terms of their monetary and intellectual property value. What physical security resources and prioritization do you give to people, your most critical assets? What is the threat of physical harm? How do you protect against this in the environments you control?

Organizations can protect against edge device (for example, video) threats in a number of ways, including changing credentials from defaults; creating tiered access (such as view-only rights for monitoring access); and using credential-based access for servers and storage. In this manner, organizations can protect the device from becoming an attack point.

The Need to Prioritize Video Data
It's important for IT organizations to understand that video is valuable data. As more video server and storage resources have moved to the network edge, cameras are targeted by attackers who seek to infect a corporate network with a virus or Trojan. Video can provide detailed information about personnel, locations, and procedures that surround high-level assets. Video feeds can be disabled or manipulated, leaving security teams effectively blinded or confused, putting an organization at risk of physical threats.

It can also be used to monitor and capture online passwords and monitor behaviors to be mimicked (e.g., computer repair services) to get closer to targets. This can be used to gain entry in the guise of a known person.

Given how valuable video data is, IT organizations should make it a priority to look closely at how video data is transmitted and stored on their network. This includes looking at who has what access rights, how policies are being enforced, whether the system is deployed and maintained properly, and whether there are clear roles of ownership.

A cybersecurity threat analysis focused on your video data will help determine if your organization's video systems need to be more secure.

It will take careful planning and prioritization of resources to keep assets secure. By using zones of trust, your organization can ensure that the most critical assets have the highest levels of protection.

Related Content:

Vince Ricco serves as a business development manager for the Axis Technology Partner Program, Axis Communications, Inc. Mr. Ricco works with IT hardware providers to showcase the company's network video surveillance solutions and educate the IT industry on the ongoing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.