cyber security

WATCH: Preview of the ‘cyber crime and cybersecurity’ seminar at IFSEC 2018

FUTURE OF SECURITY THEATRE

Peter Mason, lead IP tutor from Tavcom Training, previews his cyber crime and cybersecurity seminar at IFSEC International 2018.

His talk in the Future of Security Theatre, powered by Tavcom and sponsored by Panasonic, will provide examples of prominent cyber-attacks as well as look at ways to keep your identity and networks safe. He will also cover UPS, encryption and IP Version 6. Peter Mason will discuss 'Cyber crime & security' on each of the three days of IFSEC International 2018:

  • 19 June - 13:40-14:10
  • 20 June - 13:40-14:10
  • 21 June - 14:20-14:50

IFSEC International takes place between 19-21 June 2018, ExCeL London. Register now.

[embedded content]

Join IFSEC Global live at Europe's only dedicated integrated security event. Register for free. Meet over 600 exhibitors, test more than 10,000 of the latest security products, and discover best practice and future trends in an unrivaled seminar programme.

Highlights include;

  • Frank Gardner to chair the Keynote Arena
  • Former US Secretary of Homeland Security to take Keynote stage
  • Live attack testing in the LPCB/BRE Global Attack Zone
  • Your chance to get hands on with the latest security innovations thanks to the brand new Show Me How feature
Register for free today.

Related Topics

PACOM Systems launches device to target false alarms

Engineers of Tomorrow competition at IFSEC 2018: Still time for your fire and security apprentices to enter

Hanwha Techwin launches five compact Wisenet Dome Cameras with "most powerful" DSP chipset yet

How to harden your hardware cybersecurity

Our comprehension of cybersecurity is based around the global internet where software attacks threaten our working days and everyday lives.

What we fail to relate cybersecurity to, is the threat to autonomous computer networks, where a third party physically breaks into a system via its infrastructure devices. Due to their nature, IP security and surveillance networks put physical network connections in both secure and unsecured locations. Vulnerable positioning provides ample opportunities for the would-be attacker, so due care and attention must be paid to equipment protection.

However, installers must also treat secure sites in exactly the same way. The point of attack could originate from a source fully entitled to be within an area. No chances can be taken.

An Ethernet network comprises both active (needs electrical power to operate) and passive (does not require power) equipment. Active equipment includes Ethernet switches (we're focusing on Layer 2 Ethernet switches based on MAC addresses, not Layer 3 devices that can switch on IP or MAC address) and media converters, and the passive, a combination of cables, connectors and management such as cabinets, which might also include additional active equipment, for example environmental conditioning and monitoring systems. The security threat to the network at this level results from a third party physically connecting to the active network devices, or by removing an edge device from the network and attaching unauthorised equipment in its place.

The connection could be to an optical port, but that would require the third party to have the correct optical interface. So for opportunistic reasons, it tends to be a connection via an electrical interface. Electrical Ethernet ports are based around an industry standard, so connecting to these is relatively simple and as every laptop today has such a connection, the probable weapon of attack is readily available.

Active equipment defence

Ethernet switches are available in managed or unmanaged forms, where the managed platform has many more features and allows the user to configure and remotely monitor the device.

The unmanaged unit has no such facilities, it simply does the basic job based on its shipped configuration. Media converters tend to be in an unmanaged format only. Where security is concerned, managed units offer a number of facilities to prevent unauthorised entry to the network, whereas unmanaged forms do not, thus managed Ethernet switches should be used throughout your network.

It tends to be the case that the simplest features offer the best security, and with Ethernet managed switches, that persists. The ability to disable a switch port that's not being used in the current network configuration, through the management interface, might seem an obvious security feature but it is one that a lot of network operators fail to employ and may not even know exists on their devices.

If the port is not being used, then disable it, so no unwarranted party can plug directly in to your network

The rules, as you can imagine, are straightforward: if the port is not being used, then disable it, so no unwarranted party can plug directly in to your network. If the port needs to be used for legitimate traffic in the future, then simply open it via the management system.

And while we're talking about the simplest features being the best, the default username and password that every managed Ethernet switch is shipped with, to enable you to gain access, should be changed to a username and password, commensurate with your security policy. There is no point in applying all this security, if it could be changed by our attacker connecting to the comms port of the switch (serial data comms port that allows local access to management configuration once a correct username and password are entered) and gaining access simply by reading the manual! Once a link has been established between two active units in the network, a LINK acknowledgement (normally an LED indication) is generated and dropped immediately the link is broken.

This simple Layer 1 hardware-based trigger has been utilised by Comnet in their unique Port Guardian feature and can be used to shut a port down on the basis that a loss of link is a potential attack. The feature can be further expanded to shut down ports in the event that power is lost to the active device - just in case our attacker has the smart idea of switching connections once the switch is powered down. If any units are deployed in unsecured locations, then the port receiving communications from that site should be activated with this feature to counter link breaks in these areas.

How to harden your hardware cybersecurity

Passive equipment security

Security should be applied to the passive components of the network as well as the active ones.

How many times have you walked along the pavement and observed the door of a utilities company street cabinet hanging off, or even the access flap open on a lamppost?

If any part of the network is housed within an enclosure, some form of sensor must be on the door to tell you if it is open or closed

The reason is, that for most cases, the system owner or operator has no idea that the door of their cabinet is open and their system is not secure! If any part of the network is housed within an enclosure, some form of sensor must be on the door to tell you if it is open or closed. If the door is open and you are not aware of it you provide an easy target for any attacker and, at the same time, allow the elements to damage your enclosed equipment.

And remember, it doesn't just need to be active equipment. If the enclosure simply houses cable management that could be an opportunity to break in to the network. This requirement is an absolute must in unsecured locations!

Conclusion

To guard against attacks, managed Ethernet switches should always be used as the active building blocks of the network as they offer the maximum level of security when configured correctly.

Managed units will also provide users with the ability to remotely control and monitor network devices, and will generate automatic warning signals if an issue arises. Any managed, Ethernet switch must be configured based on the security levels and operational requirements of the site to ensure correct operation. Those who ignore the basics of network security and opt instead for cheaper, unmanaged devices, are exposing their networks to the risk of hackers.

Hackers who can very quickly turn a sophisticated security network to their own advantage.

And with the safety and protection of critical infrastructure, data and communications at stake, are you prepared to take that risk? / it seems an irresponsible risk to take.

IFSEC International takes place between 19-21 June 2018, ExCeL London.If you want to visit Comnet and discuss more about cybersecurity and securing Edge devices. Register here and visit them at stand E420.

Join IFSEC Global live at Europe's only dedicated integrated security event. Register for free. Meet over 600 exhibitors, test more than 10,000 of the latest security products, and discover best practice and future trends in an unrivaled seminar programme.

Highlights include;

  • Frank Gardner to chair the Keynote Arena
  • Former US Secretary of Homeland Security to take Keynote stage
  • Live attack testing in the LPCB/BRE Global Attack Zone
  • Your chance to get hands on with the latest security innovations thanks to the brand new Show Me How feature
Register for free today.

Related Topics

Serial data to ethernet converter from ComNet aimed at legacy security systems

HID Global to buy Mercury Security Products from ACRE LLC

ComNet enhances cybersecurity for port connections

Digital-based companies – here’s your cybersecurity and GDPR checklist  

Are you taking the right steps for your businesses online safety and compliance?

GDPR, or General Data Protection Regulation, is a term that you will likely have heard in recent times. But, not without reason. The GDPR comes into effect on 25 of May, which isn't too far away now.

And that should raise the question: 'Are you and your business GDRP safe?' I'll back up a little bit. The GDPR is in place to make sure that all EU internet users' data and personal information is safe and not misused.

That's it in a nutshell. And, it might sound simple enough, but there's really a lot more to it than that.

Is the data secure? Is it safe from external attacks?

Is it safe from internal breaches?

Is the data secure? Is it safe from external attacks? Is it safe from internal breaches?

How did you get this data? Does the person know you have it? What do you plan on doing with it?

The list goes on. However, there are a few more fundamental factors that, if adhered to, will ensure that you are on the straight and narrow. By following the checklist below, you should safeguard yourself from any potential GDPR mishaps and any latent cybersecurity issues.

How did you get the data?

Let's start with the basics - how did you come to be in possession of this data or personal information?

If it came from a form on your site, or an email sign up, or an app download - great. This is above board as it was the users' choice to give you the data. However, if you got it through other means where the user didn't fill out a form etc. then you probably shouldn't have it, and you should really report where you got it from.

Does the user know you have their data?

Okay, they filled in a form, or downloaded an app etc. and filled in their personal information, but did they know that you were panning on keeping it?

Was it clearly labelled on the site or the form or the app that you would be keeping this information? If it was, again, great. If not, then, you will have to let these people know that you kept their data, and confirm with them that it's okay to continue to do so.

What do you plan on doing with it?

And do they know?

This data and information that you've legitimately gathered - what's your goal for it? Are you going to be using it to populate an email list? Use it for retargeting purposes on social media?

Are you going to be cold calling them during tea-time? While I really, really hope it's not the last one, whatever your intentions are for the data, the user, again, needs to have agreed that it's okay for you to do so. If not, you're not GDPR friendly.

How is it being stored and processed?

All this data and information - where is being stored?

Is it just sitting in an Excel spreadsheet on your company server? Or, is it in sectioned and separated, encrypted files that only privileged users that can access it? I think it's obvious which one it should be.

If you're making physical copies, for internal use, obviously, what's happening to these afterwards? Are they just getting thrown in the trash? Or are they being shredded or removed by a registered secure data company?

How long are you planning on storing it?

One thing that many companies have been bringing up since the announcement of the GDPR changes, is that they don't really tell users how long their data is going to be stored for.

On the face of it, it doesn't seem like a big deal. But - you guessed it - it is! If you're keeping data for a limited campaign, you must let the person know while they are submitting their information.

If you're just planning on keeping it indefinitely, they must also agree to this, too.

Does site policy messaging clearly inform of your intent?

Now, all the above just relates to the information you already have from users you already know. But, with the changes coming up, you need to make sure that everything is above board from the get-go. So, if any of your messaging on policy, or your forms, or downloads already didn't inform the user of all of the above, you need to make sure it does before the 25th of May.

Do you have external safeguards in place?

While safety and GDPR compliance starts with you and your business, you cannot forget to have proper, external security measures in place.

Ransomware, malware, phishing scams, trojans, spyware, worms -even fake news! These are just some of the ways in which your site, and, in turn, your data can be attacked and breached. There are many ways in which cybersecurity can help prevent these.

Do your research and make sure you are protected.

Do you have internal safeguards in place?

As much as external threats can cause issues, internal threats are also a problem. Most likely to not be malicious like external attacks, often it is just human error. But, they still crop up.

Make sure your user access control is up to date, so, only people who are allowed to access and process certain data can access and process it. Make sure everyone's email efficiency is also up to speed to decrease the chances of the wrong information being sent to the wrong person. Little things, but, can have big consequences.

Have you/your staff undertaken cybersecurity training?

As part of your internal safeguarding, conducting cybersecurity training with your organisation to make sure you're taking the right steps certainly won't do any harm.

While you can read up on GDPR until your eyes hurt, and check off as many checklists as you can get your hands on, it won't guarantee that you're 100% safe. Every business is different, and, these regulations will affect each one differently. Play it safe, if possible, and make sure that your workforce, and yourself, are as up to speed as possible.

Even if this does involve large-scale training.

Have all third parties been vetted?

If you work with third parties, whether they be a supplier or a contractor - you need to make sure that they are adhering to all the of the above, just like you. It's no use to anyone if you and yours are 100% GDPR-compliant and have great cybersecurity knowledge, only for your freelance copywriter to mess things up. If they are not educated, make it your personal goal to do so.

Make sure they know what they are liable for, and what the consequences would be if they were not to stick to your stipulations.

Join IFSEC 2018 for the cyber security "must know information"

As physical security systems and building management tools become increasingly connected and IoT enabled, the risk of cyber-attacks only increases, and traditional security professionals need to turn to cyber solutions in order to effectively secure their physical assets.

Hear from cyber experts, as well as the traditional security professionals who have innovated with IT protection.

19-21 June 2018, ExCeL, London. Register for free.

Related Topics

GDPR, data security and the education sector

Hikvision Insight events to focus on GDPR and cybersecurity

The GDPR and physical security systems: convergence challenges, steps to compliance and more