Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/28/2017
10:00 AM
Vince Ricco
Vince Ricco
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Zones of Trust: A New Way of Thinking about IoT Security

Recent attacks have focused attention on how to safely add "things"to enterprise networks, a topic that straddles IT and physical security. A zones-of-trust approach may be the answer.

Last year, when attackers hacked into more than 25,000 Internet of Things (IoT) closed-circuit TV devices and used them in a denial-of-service botnet attack, this question was asked in boardrooms everywhere: What would happen if hackers stole my organization's surveillance video? This and other attacks on vulnerable IoT devices have put the focus on how we can safely add these devices to enterprise networks, a topic that involves both IT and physical security.

What's the Worst That Can Happen?
Before considering an IoT surveillance video implementation, answer these questions: Why are you recording the video in the first place? What will happen if it gets stolen? 

We can put recorded video data into a few different buckets:

  • Bucket 1: People can die if you don't have your video, or other very bad things can happen.
  • Bucket 2: Nothing life threatening, but not good. You might lose money. A business process may get disrupted.
  • Bucket 3: Not a big deal.

The potential life-threatening outcome of the first bucket may seem extreme, but imagine a nefarious individual or group that manipulates and studies stolen video to understand the daily patterns of a company's VIPs. This personnel monitoring could be to kidnap for ransom, or to find the right time or location to plant a virus or Trojan on a target's computer or mobile device.

Also consider what happens if video is hijacked, or the wrong people can see the live streams from your IoT cameras. What if your video is compromised and unusable? How will that affect your organization? These are the foundational questions you must ask to determine how much cyber protection you should apply to the physical security of your networked components. But how do you prioritize securing these resources?

Zones of Trust
Looking at the most current cybersecurity trends for traditional enterprise architecture as well as IoT deployments, the architectural focus is moving toward "zones of trust." This approach entails mapping, or prioritizing planning and resources in a ring of zones based on the critical nature of the networked resources. The most critical zone is one in which people and resources would be damaged or injured if there is a breach (cyber or physical). 

In the most critical zone (death or injury), cyber threats can target operational technology such as traffic lights or environmental systems. Cybersecurity must be at its strongest, and physical security such as video or access control and environmental sensors must be able to detect anomalous behavior to detect hacks as well as non-malicious failures.

The next zone could be one where a breach could cause serious financial hardship or a significant disruption in business operations. The next zones follow in terms of inconvenience, down toward the inconsequential. This helps to frame risk with assets. In this planning concept, there are significant overlaps between both physical security and cybersecurity.

On the cybersecurity side, much compromise is being tilted in favor of "ease of use" for networked resources over cybersecurity measures that may be inconvenient for users. We also see a similar trend with physical security, including video surveillance and access control. Organizations are reluctant to appear overly intrusive in day-to-day life at work, in retail settings, and even in the public sector, such as government facilities.

If you apply zones of trust to physical security, you first must look at the value of the various assets you're trying to protect. This could mean senior executives or people with access to critical systems via their cyber credentials. 

You also need to monitor people and systems from an audio, visual, and access control perspective. You're not looking for bad actors within your organizations, but people with the ability to unwittingly inject malware into your systems.

Next, look at personnel, and which zones they fit in in terms of their monetary and intellectual property value. What physical security resources and prioritization do you give to people, your most critical assets? What is the threat of physical harm? How do you protect against this in the environments you control?

Organizations can protect against edge device (for example, video) threats in a number of ways, including changing credentials from defaults; creating tiered access (such as view-only rights for monitoring access); and using credential-based access for servers and storage. In this manner, organizations can protect the device from becoming an attack point.

The Need to Prioritize Video Data
It's important for IT organizations to understand that video is valuable data. As more video server and storage resources have moved to the network edge, cameras are targeted by attackers who seek to infect a corporate network with a virus or Trojan. Video can provide detailed information about personnel, locations, and procedures that surround high-level assets. Video feeds can be disabled or manipulated, leaving security teams effectively blinded or confused, putting an organization at risk of physical threats.

It can also be used to monitor and capture online passwords and monitor behaviors to be mimicked (e.g., computer repair services) to get closer to targets. This can be used to gain entry in the guise of a known person.

Given how valuable video data is, IT organizations should make it a priority to look closely at how video data is transmitted and stored on their network. This includes looking at who has what access rights, how policies are being enforced, whether the system is deployed and maintained properly, and whether there are clear roles of ownership.

A cybersecurity threat analysis focused on your video data will help determine if your organization's video systems need to be more secure.

It will take careful planning and prioritization of resources to keep assets secure. By using zones of trust, your organization can ensure that the most critical assets have the highest levels of protection.

Related Content:

Vince Ricco serves as a business development manager for the Axis Technology Partner Program, Axis Communications, Inc. Mr. Ricco works with IT hardware providers to showcase the company's network video surveillance solutions and educate the IT industry on the ongoing ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...