5 Apr 2019

Editor Introduction

Ethical hackers are familiar to the world of cybersecurity. As cybersecurity awareness increases in physical security, they are also playing a larger role to ensure the safety of networked and information technologies used in our market. We asked this week’s Expert Panel Roundtable: What is the role of ‘ethical hackers’ to ensure cybersecurity of networked products in the physical security market?

Ross Wilks Vanderbilt Industries

‘Ethical hacking’ is becoming more standard practice within the physical security market, and even the Pentagon recently brought in hackers to help identify more than 100 security vulnerabilities in their systems. Reportedly, hackers that could locate security issues were awarded up to $15,000 each, with approximately 1,400 hackers taking part in the project. While this approach might seem dramatic, when you consider how much people depend on online channels in today’s interconnected world, any security breach could lead to a devastating loss in customer confidence and therefore revenue. Ethical hacking, therefore, can be viewed as a critical element in vulnerability testing for networked products being developed in an effort to identify and address gaps in security. The more extensive an organisation’s security testing approaches are, the better are its chances of succeeding in an increasingly volatile technology landscape.

The role of an ethical hacker in the current market is a double edge sword, because often our research can be quickly weaponised by malicious actors. When it comes to researching and securing network and applications from denial-of-service attacks, part of our role includes investigating those devices that could or have been leveraged to launch the attack. Today these threats stem from a number of physical security devices such as video cameras, IoT sensors and DVRs as well as cloud-based data storage. These physical security devices can be easily leveraged to send malicious traffic to a targeted server, and infecting the device itself has never been easier since the publication of the Mirai source code. A majority of these vulnerable devices are found in the transportation, commercial and financial worlds as well as smart homes. We have to think like hackers.

Ethical hackers, or ‘white hack hackers,’ play an increasingly important role in the physical security industry. They use the exact same processes and methods as ‘black hat hackers’ but only use their knowledge for lawful purposes with the view to identifying security issues and recommend solutions as a defense strategy. At Genetec, we take the security of security very seriously and we believe that it is critical to have a comprehensive security strategy to protect your system against both physical and cyber threats. A poorly secured camera, unencrypted communications between a server and client application, or out-of-date firmware can all be exploited by cybercriminals. Because no single approach is enough when it comes to cyber security, using the services of an ethical hacker can provide a very valuable weapon in the arsenal of tools and processes necessary to identify network and IP devices vulnerabilities and stop cyberattacks before they happen.

Ethical hacking is not new in our sector and is regularly deployed as part of the technology evaluation phase, particularly in sectors where compliance is rigorous, and the privacy and integrity of surveillance footage are critical. A vulnerable IoT device on a corporate network presents a wealth of opportunities for cybercriminals, making the ethical hackers’ role crucial in highlighting flaws before they can be exploited. The publishing of known vulnerabilities also avoids customers choosing products that may claim to enhance physical security yet can increase the risk of a cyber-attack. And these online public resources are forcing manufacturers to raise standards including the overall security of connected devices, installer training and firmware updates. Weak cybersecurity and flawed products do not the cast the physical security industry in glory and are likely to defer purchasing decisions; therefore, the increased use of ethical hacking should be welcomed and encouraged.

Kevin Berry The Ava Group

The increasing risks and requirements associated with cybersecurity and privacy compliance are forcing organisations to dramatically change the way they select, implement and validate new technology. Manufacturers and integrators of physical security technology must not only demonstrate an understanding of cybersecurity but provide verifiable evidence of proper embedded controls within their devices. For organisations, the use of (Certified) ethical hackers is a vital one in helping demonstrate their capabilities in cybersecurity by evidencing a solution’s vulnerabilities, limitations and weaknesses through an impartial, third-party. While ethical hacking exercises produce extremely useful information, to be valuable they must be followed with solid remediation efforts to fix vulnerabilities which have been identified. Cybersecurity is not a one-time event – it is a lifecycle. Successful organisations recognise this and implement ethical hacking as part of a holistic cyber-defense strategy throughout product development, testing and validation processes.

Editor Summary

Cybersecurity is a daunting challenge, and ethical hacking is one tool among many that can help to address the issue. Ensuring cybersecurity is a perpetual battle between the good guys and the bad guys. If one cybersecurity issue is addressed, we can be assured there will be another one right behind it, and possibly more challenging. It shouldn’t be just the bad guys confronting the strength of our cybersecurity because when they are successful, the result is disastrous. At least if the guys in the ‘white hats’ are also hacking our systems, there is the opportunity to fix the problem with fewer or no consequences.