Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/28/2017
10:00 AM
Vince Ricco
Vince Ricco
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Zones of Trust: A New Way of Thinking about IoT Security

Recent attacks have focused attention on how to safely add "things"to enterprise networks, a topic that straddles IT and physical security. A zones-of-trust approach may be the answer.

Last year, when attackers hacked into more than 25,000 Internet of Things (IoT) closed-circuit TV devices and used them in a denial-of-service botnet attack, this question was asked in boardrooms everywhere: What would happen if hackers stole my organization's surveillance video? This and other attacks on vulnerable IoT devices have put the focus on how we can safely add these devices to enterprise networks, a topic that involves both IT and physical security.

What's the Worst That Can Happen?
Before considering an IoT surveillance video implementation, answer these questions: Why are you recording the video in the first place? What will happen if it gets stolen? 

We can put recorded video data into a few different buckets:

  • Bucket 1: People can die if you don't have your video, or other very bad things can happen.
  • Bucket 2: Nothing life threatening, but not good. You might lose money. A business process may get disrupted.
  • Bucket 3: Not a big deal.

The potential life-threatening outcome of the first bucket may seem extreme, but imagine a nefarious individual or group that manipulates and studies stolen video to understand the daily patterns of a company's VIPs. This personnel monitoring could be to kidnap for ransom, or to find the right time or location to plant a virus or Trojan on a target's computer or mobile device.

Also consider what happens if video is hijacked, or the wrong people can see the live streams from your IoT cameras. What if your video is compromised and unusable? How will that affect your organization? These are the foundational questions you must ask to determine how much cyber protection you should apply to the physical security of your networked components. But how do you prioritize securing these resources?

Zones of Trust
Looking at the most current cybersecurity trends for traditional enterprise architecture as well as IoT deployments, the architectural focus is moving toward "zones of trust." This approach entails mapping, or prioritizing planning and resources in a ring of zones based on the critical nature of the networked resources. The most critical zone is one in which people and resources would be damaged or injured if there is a breach (cyber or physical). 

In the most critical zone (death or injury), cyber threats can target operational technology such as traffic lights or environmental systems. Cybersecurity must be at its strongest, and physical security such as video or access control and environmental sensors must be able to detect anomalous behavior to detect hacks as well as non-malicious failures.

The next zone could be one where a breach could cause serious financial hardship or a significant disruption in business operations. The next zones follow in terms of inconvenience, down toward the inconsequential. This helps to frame risk with assets. In this planning concept, there are significant overlaps between both physical security and cybersecurity.

On the cybersecurity side, much compromise is being tilted in favor of "ease of use" for networked resources over cybersecurity measures that may be inconvenient for users. We also see a similar trend with physical security, including video surveillance and access control. Organizations are reluctant to appear overly intrusive in day-to-day life at work, in retail settings, and even in the public sector, such as government facilities.

If you apply zones of trust to physical security, you first must look at the value of the various assets you're trying to protect. This could mean senior executives or people with access to critical systems via their cyber credentials. 

You also need to monitor people and systems from an audio, visual, and access control perspective. You're not looking for bad actors within your organizations, but people with the ability to unwittingly inject malware into your systems.

Next, look at personnel, and which zones they fit in in terms of their monetary and intellectual property value. What physical security resources and prioritization do you give to people, your most critical assets? What is the threat of physical harm? How do you protect against this in the environments you control?

Organizations can protect against edge device (for example, video) threats in a number of ways, including changing credentials from defaults; creating tiered access (such as view-only rights for monitoring access); and using credential-based access for servers and storage. In this manner, organizations can protect the device from becoming an attack point.

The Need to Prioritize Video Data
It's important for IT organizations to understand that video is valuable data. As more video server and storage resources have moved to the network edge, cameras are targeted by attackers who seek to infect a corporate network with a virus or Trojan. Video can provide detailed information about personnel, locations, and procedures that surround high-level assets. Video feeds can be disabled or manipulated, leaving security teams effectively blinded or confused, putting an organization at risk of physical threats.

It can also be used to monitor and capture online passwords and monitor behaviors to be mimicked (e.g., computer repair services) to get closer to targets. This can be used to gain entry in the guise of a known person.

Given how valuable video data is, IT organizations should make it a priority to look closely at how video data is transmitted and stored on their network. This includes looking at who has what access rights, how policies are being enforced, whether the system is deployed and maintained properly, and whether there are clear roles of ownership.

A cybersecurity threat analysis focused on your video data will help determine if your organization's video systems need to be more secure.

It will take careful planning and prioritization of resources to keep assets secure. By using zones of trust, your organization can ensure that the most critical assets have the highest levels of protection.

Related Content:

Vince Ricco serves as a business development manager for the Axis Technology Partner Program, Axis Communications, Inc. Mr. Ricco works with IT hardware providers to showcase the company's network video surveillance solutions and educate the IT industry on the ongoing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5226
PUBLISHED: 2020-01-24
Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapp...
CVE-2019-1517
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1518
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1519
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1520
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.