How security companies clueless about logical security will jeopardize your physical security

Kaspersky Lab, an international software security group and creators of various antivirus and Internet security products, recently posted a new press release: Video Surveillance Systems Under Attack: How Hackers Could Modify Video Feeds in Misconfigured City CCTV Systems.

Lucky for the city in question, this vulnerability had apparently not been exploited by any malicious actors prior to its discovery and correction. Still, for that entire time, the video surveillance system that they had paid for with the hopes of increasing the security and safety of their city was vulnerable to hackers, all due to the lack of IT expertise at their security contractor.

And it's not only cities that are at risk.

Physical and logical security are more converged now than ever before, and that convergence continues every day. To choose a physical security company that lacks the necessary IT knowledge and expertise is to choose to make yourself vulnerable. Vulnerable to CCTV video being modified or deleted, vulnerable to card access credentials being wirelessly skimmed right from your pocket, or card readers being modified (in under a minute!) to allow entrance to attackers. Vulnerable to security systems that, against an informed opponent, don't offer any real security at all.

So how do you protect yourself from such risks? You have two options. The first option is to disconnect all physical security equipment from all IP networks, including the Internet, losing all remote access and management capabilities in the process. (This, of course, isn't an option if you use IP cameras.) The second option is to work with a security company that understands physical and logical security risks, and how to mitigate them.

The choice is up to you.

On standards, vendor lock-in, and how technology advances

The Internet has become such a ubiquitous part of our daily lives that it's hard to imagine what life would be like without it. From a technology perspective it's a truly incredible achievement: hardware and software from thousands of companies working together to form a single, global communication network. Open standards and protocols have created a thriving ecosystem of PCs, phones, tablets, routers, and all the underlying network devices that all work together seamlessly. It's a shining example of the power of interoperability.

Physical security is not.

Too often are people sold physical security systems without realizing that they're now effectively married to that specific manufacturer and that specific integrator/installer. Many companies intentionally make it difficult and expensive to use their hardware or software with others' hardware and software. Other times you just have the same problem being solved in different, incompatible ways by different companies. Regardless of the cause, the result is incompatibility. If the integrator or manufacturer go out of business or are purchased, or even if that particular product line is discontinued, you can be left in a situation of having no means of repairing or upgrading the system. If you want to add more devices or capabilities, you're limited to a small portion of what's available. If a device fails, you have to tear the whole system out and start over. Proprietary alarm keypads, serial devices, wireless protocols, card reader protocols, proximity card formats, and more still plague the industry to this day, hindering innovation and emptying users' wallets.

While proprietary systems are great for the companies that manufacturer and install them, they are harmful to end-users, and to the industry as a whole. So, before you make a purchasing decision on a physical security system, ask the questions:

  1. Is this system built on established, open protocols and standards? Or, in instances where such standards just haven't been developed yet, is there a published, freely-available API for integration with this system?
  2. Can I buy software or hardware from another manufacturer and have it work with this system?
  3. Can I go to another integrator and have them maintain, repair, and upgrade this system?

Or feel free to give us a call and tap into our expertise, because if the answer to any of those questions is "no", you should immediately reconsider, and we'd be happy to point you towards manufacturers, and even integrators, who prioritize you over their bottom line.