Secure Access Control with TLS via OSDP

The level of risk mitigation gained from Access Control System (ACS) implementations depends upon the features and monitoring tools used e.g., multi-factor authentication, anti-passback, turnstiles, man-traps, etc.  Staff challenging tailgaters plays a part too.

Let’s say you’ve added your supporting technologies (visitor mgmt, intercom, video, etc.), and you’ve properly specified, implemented, and monitored your ACS.  What assurance do you have that you’ve done all you can do to mitigate the risk of perimeter breach by an unauthorized person?

Access control system hacks have been demonstrated to change user data, open all the doors, or to emulate a valid card read; so there are other vulnerabilities to consider.

Unauthorized administrative rights to many access control systems may be gained via well publicized, well documented man-in-the-middle attacks against weakly secured network communication ports. Because these vulnerabilities are present, never expose your ACS management console directly to the internet. Use a VPN with strong encryption for remote access if you must have it. You should protect against these vulnerabilities inside your network too. Close all unnecessary ports. Verify certificates and encryption on all network connected physical security equipment.

Test your ACS administration console with this free tool from Qualys SSL Labs. Don’t forget to test the NIC (Network Interface Controller) web interface on the hardware control panels too. Save the Qualys report and share with/ask your integrator and their manufacturers for updated firmware or bug fix timelines.

Another ACS problem is that the weigand protocol communicating between reader and panel simply cannot be secured.  Card read data can be captured from the reader or the wiring, recorded, and played back to allow a faked “authorized” entry through a door.osdp

Good News: This past week  The Security Industry Association (SIA) demonstrated Open Supervised Device Protocol OSDP communicating with Transport Layer Security (TLS) version 1.2 between the reader and ACS control panel.  TLS 1.2 is the most secure data communications protocol currently available.  Manufacturers are preparing ACS control panels and readers using OSDP end-to-end encrypted communications for commercial availability soon. At risk companies will want this, and if you’re in a regulated industry you’re likely going to require this level of protection.

The bottom line is that if your business requires sound network security as a component of their risk mitigation strategy, you’re going to want to upgrade your ACS controllers, readers, and possibly some cabling to support OSDP. Road map this effort to assess your organizational impact.

If you’re at Tier Zero (lost or just beginning) with your cyber security journey, join our PSA Cyber Security Committee presentation this May 12th at PSA Tec and get started down the road to better cyber hygiene. You can get there, we can help.

Aloha,

Andrew

Tradeshow Goals: ISC West is Talking Cybersecurity.

I’m fortunate to be acquainted with some really smart business friends, some really savvy IT industry friends, a few super successful technology friends, and some well known white hat hacker friends. They’ve all been asking me the same question these past few years: What’s wrong with your industry.., why don’t they get security?

My answer was always the same: I can’t get our manufacturers to buy into the problem. They’re too busy developing their IP-based applications (software) to actually consider the security implications of adding Transmission Control Protocol/Internet Protocol (TCP/IP) connectivity to their equipment. In fairness, we’ve all been too successful selling those features and benefits to care. TCP/IP gave the physical security industry enterprise capabilities we’d long dreamed about. It also gave us insecurities we naively ignored.

TCPIP

Full Disclosure: I’ve been involved with a group from the PSA Security Network that started exploring these issues with our owner-partners in 2014.  We found a definite lack of understanding about existing information security standards among our 125+ integrator partner network. Fortunately, there was a willingness to learn, and that willingness thrust most of us right up against our manufacturing partners who were quietly, though admittedly, a component of our industry’s cyber security problem.

This week we’re preparing for ISC West.  We’ve scanned e.g., NMAPSNMP, and TLS a random selection of commercial grade, new-to-market network switches, video recorders, access control panels, cameras, intercoms, phones, and intrusion panels.  We found a wide variety of exploitable vulnerabilities across the spectrum of equipment scanned.  Some require new firmware, some require new certificates, and others need their cryptography updated. There are those that still need their default settings changed. Many need all of the above, and many just can’t be secured as-is.

From my vantage point, we’ve moved the needle very little these past few years, so I’m glad the discussion weighs heavily in the Connected Security agenda.  During my show floor tour I will be seeking informed answers to my questions regarding equipment cyber-hardening guides, vulnerability transparency e.g., bug reporting/tracking/fixing, and third party audit transparency.

I’m bringing along a few quick scanning tools that will improve awareness for those manufacturers who will let us scan their wares. I’ve no interest in exposing current vulnerabilities, just hoping the conversation will help us all save lives, protect assets, and guard against risk. We are in the security business, right?

I truly believe that transparent dialogue is the beginning of real security in our industry. My goal for ISC West 2016 is to accelerate that motivation wherever possible.

Aloha,

Andrew

Press Release: July 23, 2015

WAIPAHU, HI (July 16, 2015) Integrated Security Technologies, Inc. (IST), a Hawaii-based physical security systems integrator is proud to announce it has been certified as a Participant in the U.S. Small Business Administration’s (SBA) 8(a) Business Development Program.

download

The SBA 8(a) program was designed to provide business development assistance to companies owned and managed by socially and economically disadvantaged individuals. In order to be certified by the SBA, an applicant firm must: be a small business; be unconditionally owned and controlled by one or more socially and economically disadvantaged individuals who are of good character, be citizens of the United States; and must demonstrate potential for success. The certification gives IST the opportunity to bid on contracts that are specifically set aside for SBA 8(a) program participants.

“Getting 8(a) certified is an amazing milestone that we’ve worked very hard to achieve,” said Christine Lanning, President of the firm. “But more importantly this will help us grow our business, expand our reach into the federal government, and ultimately add more jobs to our community.”

Established in 1998, IST, is a SBA 8(a) certified, women-owned, small business that specializes in the integration of advanced electronic security systems that include surveillance, access control, intrusion detection, intercom, credentialing, and nurse call. IST operates in Hawaii and the Pacific servicing commercial, DOD and Federal, State and City governments.

For more information please visit http://www.istechs.net

Contact:
Christine Lanning
President
christine@istechs.net

Hibachi Talk – The CIO Council of Hawaii

The Tekzar and I recently had a great discussion with Alan Ito, the current Chairman of the Board of the CIO Council of Hawaii.  The council currently has over 130 members, representing most of Hawaii’s business and government sectors, who share a vision for improving technology adoption throughout those sectors in the State of Hawaii.

Hibachi Talk copyright logo

Specifically the council has spent the past few years working to understand the challenges educators face in Hawaii while trying to develop technology curriculum that will help Hawaii address its current and future employment needs.  Education opportunities exist at all levels, according to Alan.  He noted that Mid-Pacific Institute was a leader among education organizations that was succeeding with K-12 technology education programs.

The council also counts David Lassner, President of The University of Hawaii and Garrett Yoshimi, the university’s CIO among its membership. The council members work with the the university systems in Hawaii to provide mentoring as well as internship opportunities to students who are trying to asses they variety of ways they can enter the Hawaii workforce.

Hibachi Talk is a technology talk show dedicated to sharing the vibrant, growing culture of technology that drives business across the Hawaiian islands.

Get Online Safely

Using weak passwords? Not worried about getting hacked? Still think it won’t happen to you?

hacked wifi

Here’s what you need to do today to make yourself safer before you connect to to the Internet.

First, check that your system software (E.g. Windows 8), device firmware (E.g. iPad Mini), and antivirus software (E.g. Norton Security) are all updated to the most recent versions.

Scan your systems daily for adware, botnets, and rootkits. These exploits can facilitate other cybersecurity vulnerabilities. Schedule these scans for midnight or whenever you are typically sleeping so that they won’t be manually interrupted because you need to work. Change the schedule when you travel so the scan is performed without interruption.

Never use open or unsecured wireless network (Wifi) connections. Hackers regularly set up rogue wireless access points in airports, coffee shops, etc. These Wifi sites may they look legitimate to you, and/or you may not even realize your system has connected to them them if you’re not paying attention.

Keep your device (phone, laptop, etc) Wifi turned off unless you are actively using it and you verify the encrypted Wifi source that you are connecting to.

Even legitimate Wifi access points can be risky. Logging into a website that is unencrypted while using the “free” wifi access point, passes your website login information (username and password) via clear text, and it can be intercepted by programs like Wireshark, also known as packet sniffers.

.. and if you’re lazy, and you use that same login information in for other websites, those could be compromised quickly. Safe internet practices are no longer optional. Be careful out there.

Who’s got your back?

Aloha,

Andrew

Security System Integration will see greater adoption in 2015

Too many silos, too many moving parts, too many pumps to fix?  Stand alone security systems systems are a waste of time, money, and effort. And they always have been.

system integration

Time is precious for every manager.  Why would anyone run multiple systems that require multiple queries to do an investigation?

Integrating your Access Control, Intrusion Detection, Surveillance, and Intercom systems makes sense from an investigative standpoint because all of the associated event data is linked together in a single database.  It’s easier to query, easier to retrieve, and faster to get a report out.

Money is precious in every budget. Why would anyone support multiple systems, multiple licenses of operating software, multiple licenses of database software, multiple hardware platforms, multiple back-up utilities, etc.? You get the picture.

Security managers should use funding to provide redundancy for a primary integrated system.

No one wants to work inefficiently. So why would you operate disparate security systems when a variety of integrated platforms are available, proven, and currently implemented by leading corporate security managers around the world?

Get with the program in 2015. You don’t have to figure this out, the engineering has already been done for you.

At almost any scale, you can become more efficient, save money, and devote less effort to managing your security from an integrated platform this year.

Who’s got your back?

Aloha,

Andrew

The Rise of 4K Security Video in 2015

Ultra HD video is an umbrella term that has been adopted to cover both 4k and 8k video formats. The 4k standard is 3840 pixels by 2160 pixels, yielding 8.291 million pixels, called megapixels.  This is over 4 times as many as you get with standard 1920×1080 (2.07 megapixel) HD resolution.

UltraHD

The 8k systems are 7680×4320 pixels yielding a whopping 33.18 megapixels, 16 times the 1080p HD standard.

The 4k standard has gained penetration in gaming, movies, and as of last year, broadcast television has begun to adopt it outside of the US.

In the security industry, greater resolution is always the goal.  But we don’t just watch 1 video stream on a monitor like you watch a program on a television.

Security surveillance systems have to transmit many, sometimes hundred or thousands, of video streams to recorders, client workstations, and monitors. This is a heavy data infrastructure load.

The security industry also has to record 4 (or 16) times more data to utilize this new technology.  Regardless of cost, there are use cases that make sense, and camera manufacturers began rolling out 4k security cameras last year.

4k monitors have already fallen below the $1000.00 price point. Still, the graphics cards, computer processors, and even the associated cabling will all need to be upgraded to fully leverage the benefits of 4k resolution in the security industry.

Look for price points to continue to fall in 2015 and limited implementations to lead the way along the learning curve. Casinos, airports and other specialized niches will be early adopters. In those applications, greater and greater resolution will always be a necessity.

Who’s got your back?

Aloha,

Andrew