Protection and Integration of Legacy Access Control Systems

—————————————————————————————————————————————–

When you install the infrastructure to support an enterprise grade access control system, the expectation is that it will last and be operable for a long time. Over time, physical access control has merged increasingly with networking services, which leads these systems to be vulnerable to threats associated with always-on network connections that they did not have to contend with in the past. This leaves us entering the 2020’s with many legacy systems having multiple exposed attack surfaces and new potential risks as IoT integration moves forwards and clients expect full availability and connectivity on their smart devices.
—————————————————————————————————————————————-
One method which we have placed great emphasis on is Avigilon’s “Blue” Platform, a nearly “Plug-and-Play” device that allows takeover and integration of IP devices into older systems while still maintaining the integrity and operation of the existing infrastructure. The specifics of “Blue” have been discussed in depth in previous articles.
It is critical that integrators installing upgrades to existing access control systems ensure that all software and drivers are up to date so that exploits are covered. The more IP devices, the more potential points of attack exist to disable physical infrastructure for access control systems, and this is why it is so important that the client make sure to keep up with manufacturer patches and updates as soon as they are released, as attackers will be aware of exploits, in many cases, before patches come out as a solution.
—————————————————————————————————————————————–
Another solution STST offers is Frontsteps access control technology. A key aspect of Frontsteps solution is “Mobile Patrol”. The fully mobile application allows security admins instant access “to patrol status updates and critical information, like incident reports and messaging.” (Frontsteps.com) Guards can give live updates in just seconds and share information for different checkpoints along a given patrol route. GPS GeoTagging assists in this process. This vastly improves the productivity and accountability of security staff as they must check in to their patrol checkpoints.
Security Technology of South Texas is happy to offer custom access control and surveillance solutions to the business security market, designed either turn-key and from the ground up, or integrated into an already existing series of cameras and access control structures.
—————————————————————————————————————————————–
Please contact us through email at admin@gostst.com
or by phone at 210-446-4863 24/7 to schedule a consultation.

Security Moves Further into the Cloud

It is certainly no secret that cybersecurity is ever increasingly a focal point for security professionals. It is now no longer on the periphery and is of serious concern in the video surveillance market. Because of this blurring of the lines between hardware and the digital realm (cloud), a competent security integrator needs to have a team that understands the interplay between the two and can make the best design decisions possible.

Hackers have known for quite some time that video surveillance cameras are some of the easiest to breach pieces of internet connected tech out there. Indeed, there are entire websites devoted to indexing the IPs of unsecured cameras and access control systems around the world. People are going online, without any technical skill, and doing things like turning the lights on and off in stadiums and spying on people though the camera they have placed in their living room.

But many security integrators and dealers lag behind in this area. Although manufactures can be relied on to a point, having at least one member of the team with the know-how to encrypt drives and understand authentication applications is a must. For example, two-factor authentication, now coming standard on some servers, uses “two PIN codes added to [a] Windows Server login — one as a primary password, the other a randomized PIN generated by [a] paired smartphone app, giving integrators an added layer of security”. ( www.sdmmag.com )

Being able to link a system to a two-step authentication through a specific cell number is a pretty strong defense against hackers, who traditionally access these systems through manufacturer back doors, “zero-day” exploits, or simply by using “packet sniffing” programs to watch your traffic and pull the IP and MAC address on your devices.

Over the last decade, cloud computing and storage has rapidly changed the way businesses of all kinds operate. Modern enterprises that wish to stay competitive turn increasingly to a hybrid IT environment which allows them to leverage advantages of cloud based solutions alongside having whatever physical hardware that they maintain on-site. Cloud infrastructure is highly scalable, but on-site systems may be more directly controllable or may feature proprietary/in-house software. The promise of reducing operating costs and gaining a competitive advantage is attractive to any company, but in order to pull it off, specific security challenges must be overcome or accounted for.

Hybridizing an already complicated IT environment can have the effect of rapidly increasingly the complexity of systems. Depending upon which services are owned and managed by that business and which are provided via “Cloud Service Providers” or CSP, the enterprise must regulate and integrate multiple applications and systems, a process which may require multiple different skill sets. This all creates a lot of moving pieces which can make it difficult to maintain visibility for all the existing data.

Data breaches at the highest levels make headlines on the daily and have done so for the last several years. Major compromises include Sony with a possible hack coming from North Korea, Verizon, where as many as 14 million customers records were exposed due to server mismanagement, as well as Equifax and many others losing critical information such as customer’s bank information and social security numbers.

Securing all this data is a complicated task, but probably the most common mistake requires no special skills to address. Overlooking the basic integrated security controls is surprisingly common and a simple misconfiguration at this level can compromise an entire operation and leave its data completely exposed and liable to experience theft and/or unwanted modification or hacking. As we all know, something as small as this can expose customers, employees, and the critically important private data of companies to calamitous outcomes. Following are some key considerations in avoiding cloud misconfigurations and steps to keep safe a typical hybridized IT environment.

Studies (Redlock) have shown over half, in this case 53% of companies using cloud storage will admit to accidentally exposing customer data due to mismanagement or deliberately circumventing certain built in security features. Hackers know this, and as more and more organizations make the move to the cloud, attackers will increasingly pursue this “low hanging fruit” of security risks. Security misconfigurations are among the most common ways attackers gain control and leverage withing a network. Because those creating services such as Amazon S3 cloud storage seek to make their interfaces as flexible as possible, this sometimes has the inadvertent effect of exposing cloud environments and contained data (aka “buckets”). These buckets can be accessed simply through a URL so long as the user has the appropriate permissions.

Misconfigurations can occur at any level of your applications stack- “the platform, web server, database, framework” (Security Today Magazine) or in the custom code itself. Also common is for attackers to target and take advantage of any poorly configured devices that may be connected to the network. Use of default passwords and/or otherwise not configuring devices accessing the Wi-Fi can lead to an attacker exploiting a system which will allow them to immediately begin making changes and exfiltrating data.

The reality is that most of these problems come down to human error and ignorance. A common misconception is that the providers of these cloud solutions provide security themselves. This is simply not true. It is always up to you to check what security they do provide and to account for that when you implement your own security. Very rarely or never will the defaults of the cloud service be sufficient. And so regardless of however network environments evolve, the “foundational tenets” will remain. “Maintain visibility of your attack surface and continue to monitor it” at all levels. (Security Today Magazine) Apply security protocols to the cloud environment in the same manner you would do for your traditional environment. And of course, make sure to secure all the loose ends and back-doors, ensuring proper configuration throughout your network.

The prevailing opinion online seems to be that those dealers/integrators who do not keep up with this virtual counterpart to the physical systems they install will risk putting in systems that could be compromised and even lost to hackers. As the IoT expands and proliferates there will be many more individual possible weak points to conduct a security breach against in a network. STST makes use of a wide array of IoT-like devices already, as do many other companies and industries. Mobile connections can be used as backups for hard-wired connections in security solutions but are more critical when a system needs to include 24/7 personal video and control access to a user or users wherever they are. The security industry in general is likely to become increasingly centered around the usefulness and convenience of mobile communication tech, as many of us certainly seem to be already with our personal and social lives.

Security Technology of South Texas is happy to offer custom access control and surveillance solutions with video analytics to the greater South Texas area, designed either turn-key and from the ground up, or integrated into an already existing series of cameras.

Please contact us through email at admin@gostst.com on our website or via phone at

210-446-4863 24/7 to schedule a consultation.