Jump to content
Security Installer Community
  • entries
    14
  • comments
    27
  • views
    23,288

Electronic Attacks Vs Electronic Security


Joe Harris

3,299 views

blog-0849929001375875158.png

Summary

Many specific industries in the UK are currently being targeted for online attacks in order to access the information which they hold. This information is rapidly becoming a new commodity in these changing times.

The financial sector saw a 3000% increase in the volume of attacks directed specifically at them in the first quarter of 2012. [1] [2]

The electronic security industry is a definite target due to the ‘low risk, high yield’ target nature of ARCs & Installers for potential attackers coupled with the lack of up to date awareness in many parts of the industry.

The risk from DDoS type attacks in particular is a well founded one but also comes on the back of other concerns in respect of “information security”.

Our industry is at particular risk from this threat for a number of reasons:

In the first case we hold (as an industry) vast amounts of sensitive data on our clients. We are ourselves a means by which access can be granted to further information from our clients. As an example consider an attacker armed with a security firms authorisation credentials or a site password then contacting a client of the ARC whilst performing a social engineering attack. Mobile telephone numbers can lead to location data or voicemail access of end users.

The other aspect to consider is that as an industry we face an increased exposure from this type of attack that can be very detrimental to business. “Electronic security” is not the same thing as information security but to end users and clients this distinction is not so clear. We operate in an environment of trust and robust security protocols. Clients would potentially steer clear of the victim of a data breach as they would be seen as ‘untrustworthy’; this can have a massive impact within the industry. [3]

A small investment in time and resources now could save businesses a great deal of cost and time at a later date.

Following some basic principles [4] of system management will help. In the long term a complete managed structure is the only effective solution to mitigate the increasing risk and exposure.

To manage system updates, audit all of the many server and client machines, keep up to date with trends and exploits and to effectively harden the many networks, software platforms and systems is a lengthy and laborious task which businesses small and large may struggle to keep up with. [5] [6]

Threats & Exposure

To understand the risks and better manage them we ought to first understand who would be aiming to access data.

I believe we can categorise the majority of potential attacks as coming from one of five primary sources presenting the highest risk factors for our industry:

  • Hacktivists

Whilst traditionally few ARCs or Installers are seen to have any specific political or corporate ties (which reduces exposure to this threat) the servers and bandwidth available to ARCs can be seen as a potentially lucrative target to use for attack redirection or to include within a zombie network for attacking other targets
  • Staff / Industry competitors

Whilst a lower risk it needs to be considered and accounted for. Attacks such as competitors taking up similar domain names in the hope of emails being mistakenly delivered to them needs to be monitored for and addressed. Sensitive commercial information is in itself of value to a potential attacker from this sector.
  • Criminals

Well, at least with this source it is one we are all very familiar with. It is interesting that information security and electronic security are both very similar when criminals form the source of the attack. Target hardening is effective and will cause criminals to instead opt for an easier alternative target. The reason and target of attack is financially motivated. The best defence here can be to make it labour intensive, time consuming and expensive for anyone to perform a successful attack and it will reduce the impact from this source. It must be remembered though that the criminal enterprises can have *significant* resources available to them and they are becoming wise to utilising cheap mass labour to perform the legwork which can complicate matters.
  • Script Kiddies

This is becoming a dwindling form of attack source, however, it cannot be discounted entirely. While this particular source of attack generally uses widespread and basic tools which can be protected against, there is also the opportunity for talented and determined individuals to find previously unknown 0sec (zero seconds / newly discovered) exploits, which would not be so easily detected.
  • State sponsored

This is the largest threat to our industry. The sheer numbers involved and the impunity in which attackers operate highlight the fact that the internet is now very much like the old west with very few laws and regulations and several different highly active groups (the UK is no exception).

Please take a moment to consider the type of information that could be useful to a potential attacking state. Vast amounts of data is stored which can all be funnelled into pool of information for later analysis. Nation states have many Petabytes / Exabytes of data storage for just this purpose and in many cases employ very effective attack teams.

They have staff dedicated to harvesting and categorising target clients (IPV4 means fairly limited numbers which they can go though quite literally one by one). In the case where a target client is not immediately exposed to any current risk their equipment and services can still be categorised. When a new ‘0sec’ exploit is then released / discovered or purchased then these categorised targets can all be revisited quickly and with ease.

This is also a form of attack that will not entirely disappear in the future without significant changes, indeed there are claims that this is now the modern battlefield between nations, we need to be careful to ensure that as an industry we do not become the injured innocent bystanders.

Attack Vectors

For the modern ARC or Installer there are several attack vectors and points of exposure:

  • External webservers / client interfaces
  • Company websites
  • Mail servers
  • Corporate intranets
  • USB / Removable media
  • Precompiled VMs
  • IP Signalling device connectivity
  • Receiver software / firmware

You must ask questions of yourselves in relation to each of the above vectors remaining honest with yourself whilst doing so.

  • Are each of your systems adequately protected?
  • Is the authentication procedure appropriate to the risk exposure?
  • How do you know if you have already been infiltrated?
  • What measures can you take to prevent exposure to each of the above?
  • Are your staff members trained to respond to and recognise these risks?
  • Are you opening up more data than is required to perform the task at hand? If so why?
  • Are your contingency arrangements formed with these risks in mind?
  • Does your backup procedure give you scope for recovering to a point prior to an attack occurring which may be discovered at a later date?

The reality in our industry is that the technical expertise employed within and by third parties on behalf of ARCs and Electronic Security Installers is often quite specialised.

Whilst there are very many incredibly talented individuals working in the industry, it does not follow that they are necessarily aware of all aspects which are required in order to effectively protect company assets.

The Solution?

There is no "one size fits all" solution that would work for all types of businesses. There are however, some good practises and recommendations that can be made.

Where possible implement managed network provision from a suitable supplier. Ensure that you have the support of any ISP utilised in order to help counter DDoS types of attacks.

There has been a gradual evolution of some signalling products and back office systems to utilise remote access and various forms of IP technology. Ensure that the systems you are utilising have approached the implementation of this technology with a sound understanding of the risks involved. Other products have been designed from the very start around the core principles of data security and robustness, this should be a primary consideration.

With all the points raised above, the key thing is awareness. Understand the capabilities and weaknesses of each product and perform your own risk assessments.

You may conclude that it is no longer appropriate to utilise some equipment or demand more robust solutions from the supplier. In either case at least you are prepared and aware.

Ensure that you are able to accurately track the flow of data in and out of your business and be able to see the status of all critical equipment and networks instantly at any time (keep your fingers on the pulse).

We are all in the habit of assuming the worst case scenario in order to minimise risk. This puts our industry in a good position to be able to overcome such issues as and when they arise as long as we continue to be prepared.

Consider your existing networks and infrastructure carefully. What is your exposure to risk? Can action be taken to reduce or ideally, entirely negate the risk?

It will become crucial in future for Installers and ARCs to communicate effectively to highlight and manage risks.

We have already begun to see the efectiveness of this approach when nationwide issues occur and in future we should all take advantage of these networks to help mitigate and protect from risk.

6 Comments


Recommended Comments

J, Very interesting, and covers a lot more than your direct interest.

Im assuming you think the final mile (ie the arc) is an easier attack point if its known than the individual site/system.

To minimise the exposed footprint from send point to recieve point what would you suggest? Private circuits or VPN's.

From the transmission point of view its easier to attack the fixed line (pstn) side than anything else but also the gsm side can be vulnerable. Id of thought that any high grade system based on regular polling would be immune to the reporting (not the attack) but if using an ATS 5 device if the device was attacked this would be shown in less than 3 minutes.

However if the end that handles that reporting is attacked what would happen then? I assume a DOS style attack on an ARC would be more effective if it swamped it with false signals. The more i think about it the more it seems the arc is the most effective attack point?

James

  • Upvote 1
Link to comment

James,

You are spot on and as mentioned existing 'old style' PSTN comms can be affected just as much as 'new style' IP / GPRS connectivity.

There are a number of methods that would be effective against ARCs though I see some ARCs beginning to implement counteractive measures as a form of target hardening.

Forward thinking ARCs are ensuring as much redundancy as is feasible and structuring their systems to ensure that such a threat is minimised.

The only sad part is that for each ARC that does approach things this way, twice as many will bury their heads.

As for false signals vs outright bandwidth flooding - The former may be more effective initially as it will form shaped traffic more likely to pass through any initial early stage filtration. The issue will be (as it is for unrelated websites usually) how to distinguish genuine traffic from spoofed traffic and to ensure that this is carried out with zero latency and zero errors.

A tough ask.

Joe

Link to comment

Joe

We do what we do and hope the advice we are given is best. We are a small alarm co and punch well above our weight. Of course we think we have taken best advice on security but we may never know

  • Upvote 1
Link to comment
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.