A brave new world

Written by 
Published in Features
  • font size decrease font size decrease font size increase font size increase font size
  • Print
  • Email
“We are in a brave new world of security threats”
By Dan McDuffie, CEO Wyless
 
As you may have already seen on the news, a security vulnerability known as Heartbleed was recently identified in the popular OpenSSL cryptography library. This weakness allows stealing secure information including any sensitive data or even private keys that would normally be protected by the SSL/TLS encryption used to secure Internet traffic and it made big news primarily around web sites that could have the security hole built in, however this is a phenomenon that also has had serious implications on corporate security around access devices in the Corporate IT and Machine to Machine market and highlights the need for stringent security controls not just on Corporate owned systems but to any vendor that might have installed a solution into your our your clients’ premises that required any level of external access.   With regards to Heartbleed, any device (wired or wireless) that is connected to the corporate network and used OpenSSL in any way potentially had this vulnerability, and there are undoubtedly other similar issues lurking out there as well.
 
 
What’s the impact of this?  Essentially we are in a brave new world of security threats.  Think in terms of several scenarios:  
 
  • Many ATM Machines worldwide are connected wired and wirelessly using modems that could be hacked, and every day hundreds of millions of people bank over these networks.
  • Many corporate IT departments have secondary networks using wireless access gateways for Internet continuity or public Wifi Networks.  (For instance retail chains, restaurants, doctors offices, health clubs, etc.)
  • Both residential and corporate security systems have cellular gateways for backup or in growing cases for primary access to central monitoring stations.
  • Building control systems such as energy management devices, HVAC Systems, etc. are connected to wired or wireless gateways for out of band management or remote monitoring.
  • And in many cases of the above and other similar scenarios, disparate systems increasingly are interconnected without the knowledge of the end user, opening up the potential of a backdoor into other areas of the network.
 
How serious is this?   Let’s consider the security breach where literally tens of millions of consumer credit card numbers were compromised in last year’s hack of Target department store’s network.  Malware was installed at their Point of Sales devices, the thieves having hacked through the HVAC System’s remote management gateways.  The hacking of a simple industrial control connection somehow led to one of the largest security breaches of consumer data in history.
 
With respect to Heartbleed what is truly disturbing is that it appears that this flaw in Open SSL that was recently discovered had been undetected by over 2 years.  Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and "https:" on Web browsers to signify that traffic is secure.  The flaw makes it possible to snoop on Internet traffic even if the padlock had been closed.  Interlopers could also grab the keys for deciphering encrypted data without the website owners knowing the theft had occurred, according to security researchers.  What’s worse is that it is estimated that over two-thirds of the worlds Web servers rely on Open SSL.
 
 
So what can one do to mitigate such disasters lurking in the shadows?  First, secure the network from the obvious.   Devices on public IP addresses are the most vulnerable as these devices are directly accessible from the Internet.   Use a private network instead.  For instance, standard “private-IP” cellular connections from Wyless use a network configuration called “many-to-one” Network Address Translation (NAT) in accessing publicly accessible Internet destinations. That configuration prevents unknown entities on the internet from initiating contact with the private-addressed device. When a device has a public IP, either natively, or assigned via “one-to-one” NAT, then the firewalls by default does not filter, block, or prevent any Internet source from contacting the device. This leaves the wireless device itself as the only layer of security, and while most devices have some firewall capabilities of their own, these capabilities are frequently either left disabled by default, left with default username/password in place (and the default is easily obtainable via internet searches), or misconfigured in a way that unexpectedly permits easy access, or even installed correctly but exposed by a later patch or firmware upgrade. 
 
It is our strong recommendation that any device with public IP addressing ensure their device be “locked down” and the factory default username/password be changed to something unusual and not easily guessed.   We also recommend customers evaluate the vulnerability of their devices and reach out to their hardware vendors for any updates needed to secure them.
 
And choose a managed services provider that offers Security as a Service.  Any MSP or Carrier that is touting a public IP network should be reconsidered.   When it comes to external access to a corporate IT network, best practice security is a must.  But that’s just common sense right?  Ask Target’s HVAC vendor!
 

Full Name


Email Address


Bosch Corner

Bosch Security and Safety Systems & ISS

Bosch Security and Safety Systems & ISS

Transportation: License Plate Capture, Innovating Security Where you need it most.

Intelligence broadcast

Intelligence broadcast

As more and more people move into cities worldwide and people have an ever increasing...

In-Store Analytics - Empowered decisions with store traffic data

In-Store Analytics - Empowered decisions with store traffic data

Merchandising and customer service can set stores apart from online retail, helping to increase loyalty...

Event News

Next Events

BSIA Spotlight

A new revolution in call handling

A new revolution in call handling

The Electronic Call Handling Operation (ECHO) project looks to take up the challenge of integrated...

Data destruction

Data destruction

Seeking professional help in disposing of your data is a wise investment, but what exactly...

Achieving efficiency through integration

Achieving efficiency through integration

As an important method of securing a site by controlling, monitoring and restricting the movement...

IPSA Features

The Challenges with security in university accommodation

The Challenges with security in university accommodation

By Jane Farrell, FM Development Manager, Sodexo and Chairman International Professional Security association (IPSA)

Recognising the contribution of contract security

Recognising the contribution of contract security

Following on from recent terror attacks in the UK, there has been a lot of...

Debunking Cyber Security

Debunking Cyber Security

Over the last few years companies have started to realise that cyber security is a...

MEB Media Limited

13 Princess Street,

Maidstone,Kent

ME14 1UR

United Kingdom

http://www.mebmedia.co.uk/

 

Site Map

Monthly Newsletter Signup

Full Name


Email Address