Have you ever dined in a restaurant with a police officer? When choosing a table, or seating location, law enforcement professionals will often choose the seat that positions them with their back to the wall. This plays out quite humorously when a group of law enforcement professionals dine together, all racing toward that coveted “protected” chair. It’s obvious why this occurs. Law enforcement professionals are trained observers, and any time that their clear view of a room is obstructed, they become uncomfortable. The same is true with other trained professionals. A firefighter will often enter a room, noting the exits and occupancy.
Cybersecurity professionals are similarly observant, aware of systems such as door mechanisms, security cameras, and other vulnerable artifacts of our modern world. Even a simple elevator ride can be a fascinating experience for a security practitioner. The average person may wonder what makes these objects a source of fascination for security professionals? The thought that all of these security controls are connected, and in many cases, automated, piques their curiosity. Unfortunately, cybercriminals are also interested in these controls.
Automation is everywhere
Think of the last action movie you saw that involved a physical break-in to a secured area. The technology in place to protect those areas usually involved some type of monitoring system. Whether it was an automated door-locking mechanism, or a camera, the first step the criminals always took was to alter the automated system to appear as if it was in a normal state, even if it wasn’t. One of the most common examples is to force a surveillance camera to display an image of an empty room while the thief is inside that room. Another example is to force a door locking mechanism to remain unlocked longer than usual, creating an unassisted “tailgating” opportunity. From a security standpoint, each of these attacks required an unauthorized configuration change to a system.
Automation of a building’s security system can appear in the most unlikely places. Some fire protection systems are set to automatically open and close valves, releasing fire suppressants based on a triggering threshold. This is vastly different from the earlier heat or pressure activated systems. Heating and cooling systems for most large buildings are also automated. Automation is also present out on a city streets, with parking meters that can report usage or expiration notices back to a central system, smart meters to measure electricity usage, or smart snow ploughs to help plan city routes.
When viewed on a small scale, vulnerabilities in all of these systems seem somewhat insignificant. So what if someone extends the time on a parking meter? It is criminal, but not critical. However, on a larger scale, these vulnerabilities can have grave consequences if they are exploited. Buildings that require controlled environments, such as chemical storage plants, hospitals, and other sectors of critical infrastructure rely on multiple automated systems to keep everything functioning normally and keep everyone safe.
Adding visibility to the Invisible
Unlike the police officer who rushes to be seated facing the crowd, or the firefighter who notes the exit paths, there is no way to physically observe what is occurring with many automated systems. Recent incidents that targeted water treatment plants demonstrate the need for better security, as well as better monitoring. This is where Tripwire can help in a couple of different ways.
First, knowing how these systems are configured is key to ensuring everything is functioning normally. When a configuration item changes, Tripwire can help you evaluate whether that change takes the device into an insecure state or not. Tripwire can also help determine if that change was authorized or not by verifying if there was a ticket in your change management system that went through the appropriate change control process.
Second, Tripwire can assist in understanding the vulnerability risk posture of your critical assets. This allows you to make informed decisions of what systems need to be mitigated, patched, or firewalled to prevent unauthorized access. All of this while being able to report on the progress of remediation and risk reduction either with reporting out of the Tripwire toolset or by integrating with your ticketing system.
The key to protecting the invisible is staying invisible. Understanding what risks are in your environment will help you prioritize your time and reduce the impact to your user base, all while ensuring the automated systems continue to function properly, and remain available.