This series will try and describe the typical security flaws found at businesses which are not IT oriented and really don’t need to be coming from the manufacturing industry.
We will look at the security requirements and risk encountered at each of these levels:
- Physical access
- Network security
- Software used
- Remote users and contractors
- People factor
As a rule of thumb at every level the AAA model has to work, not implemented, but actually work! If you are unfamiliar with AAA here is a two minute read on this topic by a trusted provider in the security market: https://www.fortinet.com/resources/cyberglossary/aaa-security
While some might not even consider physical security as part of IT security it is important to walk through it and at the end hopefully consider it better when solidifying an IT infrastructure. Let’s image this scenario: A company has a large premises with one office for computer workers and several production areas. The company has a large comms room in the main office but also small cabinets for network elements and backup in the production areas. Door access is controlled by RFID fobs and an entry level camera system is present at most locations of this site. Now let’s break it down per elements and the biggest threat to each.
RFID fobs:
While they were innovative 30 years ago, today even a 13 year old with an RFID reader can clone a lost or misplaced one. The company had an incident where one of the maintenance workers left one in the smoking area which over night was found by a bad actor who was only looking at first for scrap metal but soon found himself with access to all the expensive tools storage. Companies should consider replacing these with more AAA friendly solutions like fingerprint or face recognition solutions which send out alerts for access outside business hours. To add to the troubles the fob could not be disabled until Monday when the only person who knew how to do it was at the office. If you are serious about your security consider a managed solution for a specialised company in this area. Not only you offload responsibility to professionals but now you have someone to call at 1AM.
Authorization of personel:
If you inherited tens of years of bad access management the best solution is to start with a greenfield environment. Yes, many say there is different approaches but almost never do these resolve all issues. In this case access was granted to all doors to everyone, including the IT comms rooms and other sensitive areas and a good majority of fobs had no owner “Cleaner 1″,”Cleaner 2″,”Tech 12”, etc. Start off fresh and ensure each “entry point” has an owner who needs to approve access. For example to the IT room it should be only the IT manager or CIO that can grant access and not the yard manager. In fact not even the security company without the prior approval of those responsible for this area.
CCTV:
Rule of thumb: Never go cheap! You will soon come to regret it when law enforcement advises you there is nothing they can do further due to the lack or poor quality of footage. Have heard this one too many times. More importantly do not store the video footage on-site. Some might say it’s ok to store it in a high secure area. Most companies will not have fire-suppression, extensive water protection, etc. today a Cloud based storage CCTV solution is under 100euros per month. Just go for it! No more harddisks, DVRs, lost remote controls, cables, software upgrades, etc.
Now how does all this affect IT security? IT security starts with physical security. Having easily accessible network ports, wi-fi, hardware that can be stolen and IT rooms means no matter how many millions one pumps into fancy cyber-security features it means nothing in todays world where social engineering and corporate espionage is a multi-billion business.
More examples to follow as we go along…