Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/28/2017
10:00 AM
Vince Ricco
Vince Ricco
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Zones of Trust: A New Way of Thinking about IoT Security

Recent attacks have focused attention on how to safely add "things"to enterprise networks, a topic that straddles IT and physical security. A zones-of-trust approach may be the answer.

Last year, when attackers hacked into more than 25,000 Internet of Things (IoT) closed-circuit TV devices and used them in a denial-of-service botnet attack, this question was asked in boardrooms everywhere: What would happen if hackers stole my organization's surveillance video? This and other attacks on vulnerable IoT devices have put the focus on how we can safely add these devices to enterprise networks, a topic that involves both IT and physical security.

What's the Worst That Can Happen?
Before considering an IoT surveillance video implementation, answer these questions: Why are you recording the video in the first place? What will happen if it gets stolen? 

We can put recorded video data into a few different buckets:

  • Bucket 1: People can die if you don't have your video, or other very bad things can happen.
  • Bucket 2: Nothing life threatening, but not good. You might lose money. A business process may get disrupted.
  • Bucket 3: Not a big deal.

The potential life-threatening outcome of the first bucket may seem extreme, but imagine a nefarious individual or group that manipulates and studies stolen video to understand the daily patterns of a company's VIPs. This personnel monitoring could be to kidnap for ransom, or to find the right time or location to plant a virus or Trojan on a target's computer or mobile device.

Also consider what happens if video is hijacked, or the wrong people can see the live streams from your IoT cameras. What if your video is compromised and unusable? How will that affect your organization? These are the foundational questions you must ask to determine how much cyber protection you should apply to the physical security of your networked components. But how do you prioritize securing these resources?

Zones of Trust
Looking at the most current cybersecurity trends for traditional enterprise architecture as well as IoT deployments, the architectural focus is moving toward "zones of trust." This approach entails mapping, or prioritizing planning and resources in a ring of zones based on the critical nature of the networked resources. The most critical zone is one in which people and resources would be damaged or injured if there is a breach (cyber or physical). 

In the most critical zone (death or injury), cyber threats can target operational technology such as traffic lights or environmental systems. Cybersecurity must be at its strongest, and physical security such as video or access control and environmental sensors must be able to detect anomalous behavior to detect hacks as well as non-malicious failures.

The next zone could be one where a breach could cause serious financial hardship or a significant disruption in business operations. The next zones follow in terms of inconvenience, down toward the inconsequential. This helps to frame risk with assets. In this planning concept, there are significant overlaps between both physical security and cybersecurity.

On the cybersecurity side, much compromise is being tilted in favor of "ease of use" for networked resources over cybersecurity measures that may be inconvenient for users. We also see a similar trend with physical security, including video surveillance and access control. Organizations are reluctant to appear overly intrusive in day-to-day life at work, in retail settings, and even in the public sector, such as government facilities.

If you apply zones of trust to physical security, you first must look at the value of the various assets you're trying to protect. This could mean senior executives or people with access to critical systems via their cyber credentials. 

You also need to monitor people and systems from an audio, visual, and access control perspective. You're not looking for bad actors within your organizations, but people with the ability to unwittingly inject malware into your systems.

Next, look at personnel, and which zones they fit in in terms of their monetary and intellectual property value. What physical security resources and prioritization do you give to people, your most critical assets? What is the threat of physical harm? How do you protect against this in the environments you control?

Organizations can protect against edge device (for example, video) threats in a number of ways, including changing credentials from defaults; creating tiered access (such as view-only rights for monitoring access); and using credential-based access for servers and storage. In this manner, organizations can protect the device from becoming an attack point.

The Need to Prioritize Video Data
It's important for IT organizations to understand that video is valuable data. As more video server and storage resources have moved to the network edge, cameras are targeted by attackers who seek to infect a corporate network with a virus or Trojan. Video can provide detailed information about personnel, locations, and procedures that surround high-level assets. Video feeds can be disabled or manipulated, leaving security teams effectively blinded or confused, putting an organization at risk of physical threats.

It can also be used to monitor and capture online passwords and monitor behaviors to be mimicked (e.g., computer repair services) to get closer to targets. This can be used to gain entry in the guise of a known person.

Given how valuable video data is, IT organizations should make it a priority to look closely at how video data is transmitted and stored on their network. This includes looking at who has what access rights, how policies are being enforced, whether the system is deployed and maintained properly, and whether there are clear roles of ownership.

A cybersecurity threat analysis focused on your video data will help determine if your organization's video systems need to be more secure.

It will take careful planning and prioritization of resources to keep assets secure. By using zones of trust, your organization can ensure that the most critical assets have the highest levels of protection.

Related Content:

Vince Ricco serves as a business development manager for the Axis Technology Partner Program, Axis Communications, Inc. Mr. Ricco works with IT hardware providers to showcase the company's network video surveillance solutions and educate the IT industry on the ongoing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.