According to the US Federal Bureau of Investigation (FBI) web site, it's only a matter of time before organised crime identifies how easy it could be to open a bank account without ever being near. Just recently, in fact, the FBI issued a warning statement on the self-same subject.
What about the simple issues? The ones that could be easily and swiftly corrected?
All access control software has security access protected by a password. Using the correct password activates user privileges assigned to the system. Often, those system passwords are stored unencrypted in simple databases such as Microsoft Access. These are frequently held on a server, but more usually on a local PC.
Such passwords are readily available to most hackers using a variety of standard hacking techniques. As passwords will also be required on the servers that control access to a site's doors, immediate steps must be taken by the security manager (particularly if closer examination reveals any password storage and retrieval issues).
Panels and remote support
In the past, security managers used proprietary hardware – and very often proprietary communications – both to collect data from card readers and to verify and acknowledge card holders. The falling cost of PCs, together with their increased functionality, has allowed most vendors to use a single board PC with a variety of interfaces to drive the readers.
These PCs are still referred to as controllers, and boxed in a similar way to the original controllers. They communicate over enterprise LANs and WANs using TCP/IP protocols identical to those adopted on the Internet. Internet users can therefore deploy tried-and-tested hacking techniques that may be adapted to gain control over access control systems with only a minimal learning curve.
Most companies, of course, will install firewalls and a variety of other solutions by way of protecting their enterprise network. Many associated vendors, however, like to update their software remotely and will use modems to do just that. Left connected, these modems provide the perfect 'back door' for targeted 'war dialling', using existing hacking programs to gain access to the network.
Aside from the obvious dangers of an open, unencrypted link to a network from the outside, these modems give hackers an ideal opportunity to install Trojans for subsequent access at a later date.
Data uploads can also give rise to security issues. Most security systems will provide an export/import routine or ODBC connection to populate a server database. The primary data for this will probably come from a human resources-style application that could well carry passwords or, at the very least, clues as to their make-up.
To the average hacker, the full names of all employees – harvested from the Human Resources Department database – will provide enough clues to operate standard password cracker tools.
“Access control systems have to be made easy to operate so that they can be used with minimal training. High staff turnover in the security sector is the norm, so training must be straightforward”
Most access control systems provide the end user with the ability to process ID cards, with pictures of members of staff stored in GIF or JPEG formats. Such files are large and are rarely used. Consequently, they serve as the ideal place to store virtually undetectable programs or Trojans.
Access control system providers
Due to the obvious security implications of their core business, those companies supplying access control systems can also find themselves becoming the target of hackers. As outsourced suppliers, these companies have access to client sites, client data and lots more valuable information besides.
System providers must therefore learn to adopt stringent security measures to protect themselves and their end users – all the way from shredding through to firewalls, virus scanners and intrusion detection solutions.
Installing an access control system often has an effect on the insurance premiums paid by a company. Consequently, if a given system ends up providing a gateway into a corporate network, the resulting losses can run into millions of pounds. Therefore, insurance companies quite rightly insist on appraising the quality of the access control provider, and receiving some indication of the extra security that the vendor has put into place.
Operation made easy
Access control systems have to be made easy to operate so that they can be used with minimal training. Remember that there's very often a high staff turnover in security departments.
That said, it's paramount corporate systems be well protected against future threats. A system that's easy to install and operate may not be the most secure in the long run. On the other hand, a complex system needs to be looked at in its entirety – not just in terms of the network itself, but also in relation to the hardware and software connected to (and running on) it.
Often, the security manager will have to call on the services of an expert third party – because the in-house network support personnel possess neither the time nor the skills set to dig deeply into the security of the network.
In an ideal world, the whole of a company's network should be mapped and reviewed, including a concerted effort into searching for vulnerabilities. Any vulnerability testing ought to include network penetration testing, and must be initiated at the specific request of the company.
Following on from the vulnerability testing process, there are several tasks that will need to be co-ordinated. In strict order, these are: closing down unnecessary ports and IP services, updating and ensuring that the required services and software are properly patched up and setting up authentication and encryption.
Source
SMT
Postscript
Mike Pedersen is a director of Proseq AS
