Kroll has seen cases that are not dissimilar. In one example, we were engaged to conduct a vendor-neutral review of a company's data security, and in the course of our penetration testing, we determined that there was an external Internet-based connection to a company that had been engaged to install and maintain a network of security sensors and cameras. This network of cameras, controllers and digital recorders, which ran over the company's corporate IT network, primarily allowed on-site security personnel to observe the camera images, steer the cameras, respond to alarms, and to control the recording of camera images.
The vendor had the ability to log into the network to maintain the camera software and diagnose problems with the security systems. We determined that there were some significant issues.
- First, when the access account had been provisioned for the security vendor, it wasn't assigned to an individual, but to the vendor so that anyone could use it.
- It was provisioned with an initial and trivial default password, and there was no requirement that the password be changed. In fact, we learned that it was known to a number of employees (and former employees) of the vendor.
- There was no test in place to see if the vendor's log-in came from a known IP address associated with the vendor.
- There was no audit to see if the access using the vendor's account was reasonable – something the company's facilities manager could easily have done.
- The vendor was not required to maintain security controls equivalent to those of the company.
- Finally, once in the network, an intruder with those security company credentials could pivot and reach parts of the network unrelated to the security system.
Over the past few years, there has been recognition of the advantages of running multiple systems over a single IP network. As network speeds have increased, it has made sense not to run parallel networks for infrastructural elements like security, environmental management and similar support systems. But we have found that in many cases, the security issues relating to these systems are not well understood, since it seems like they just use the network for data transport. Of course, as real-world cases demonstrate, it isn't that simple.
These infrastructure support systems must often be accessed by vendors as well as company personnel. Even for company personnel, there may be a need for remote access to respond to off-hour emergencies. As a result, many of these systems require that they be accessible online from outside of the company. That leads to the issue of authentication. Who has the access? How is it authenticated? Are access credentials tied to an individual, or are they just supplied to a vendor for anyone to use? Are strong passwords required and changed recently? Is account usage subject to audits?
The other issue is connectivity. Are the users of these accounts (particularly vendor accounts where they don't need access to other company online resources) limited to the specific level of access they require? Are they limited to accessing the specific devices and applications they need, or is it just assumed that's what they will do?