Issue link: https://securitytechnologyexecutive.epubxp.com/i/870734
14 SECURIT Y TECHNOLOGY E XECUTIVE • September/October 2017 • www. SecurityInfoWatch.com 2) Document System Management Practices. • Device and System Updates. Document when and how systems and devices are patched and updated, and establish a sound policy for updates if you don't already have one. • Systems and Device Access Management. Document the access manage- ment for human users as well as system users, such as video manage- ment systems. — User Roles and Responsibilities. List the authorized users, along with their roles, responsibilities, and the details of access provided. Verify that access has been provided according to the principle of least privilege (see Wikipedia). Delete or revise user accounts for personnel whose system responsibilities have been eliminated or changed. Be sure to include cameras and other devices having service contractor user accounts. Service contractor password management is often neglected. — User Password Management Practice. Document the existing password management practice. Check to see if it complies with the requirements for corporate IT systems. If there is no policy in place governing the management of user accounts and passwords, create one and apply it. — Authentication and authorization for system integrations and device management. For example, video management systems and video ana- lytics applications utilize camera user accounts. Your security integrator or IT department can assist you in identifying how digital certificates are used, encryption keys are managed, and how API security is applied to systems integrations. 3) Perform a Scan of the Network, and Optionally the Security Applications. Obtain status and performance information for the security systems infrastructure. • Scan. Perform (or have IT perform) a Nmap (Network Mapper) or simi- lar scan of your security system network. Alternatively, you could use a cloud-based scanning service. • Manage. You could also obtain even more information by utilizing a cloud-based service including application level assurance, such as Viakoo, which automatically verifies the performance and integrity of physical security systems and devices, provides automated proof of system com- pliance (such as video retention), and collects diagnostic information for proactive and predictive infrastructure management. • Take Action. Follow up based upon the information obtained. Disable outdated versions of TLS, SNMP and other vulnerable protocols. Use secure versions of network protocols wherever possible. 4) Have Internal IT or an IT Service Provider Determine the Physical Security Systems Cyber Security Profile. • This should include internal and external (via the Internet) system pen- etration testing, as well as a review to see if protections are in place given known vulnerabilities of specific products or product types. • Create an action plan to follow up on the recommendations provided. A big benefit of these four steps is the achieving a high level of visibility of the state of the physical security systems infrastructure, which benefits system troubleshooting and maintenance work as well as planning for sys- tem enhancements. Continued from page 8 Continued from page 10 My Crash Course in Hacking Cyber Security Profiles for Physical Security Systems • QR Code Generator Attack: Generates QR codes so that, when scanned, redi- rects the victim to the attacker's site. • PowerShell Attacks: PowerShell pro- vides easy access to all major func- tions of an operating system. It is a framework based on .NET that offers a command line shell and a scripting language for automating and manag- ing tasks. Installed by default on all new Windows machines, its manage- ment features can also work with virtual or Linux environments. It is attractive to hackers for many reasons, including stealth, obscurity, forensic resistance, and hacker community tools and support. It has been the go-to choice to attack banks, govern- ments, and corporations. About Metasploit and the Social Engineering Toolkit (SET) The Metasploit Framework is an open source penetration tool used for developing and executing exploit code against a remote target machine it. First released in 2003, Metasploit has the world's largest database of public, tested exploits and has become the de facto standard for penetration testers. Owned by Rapid7, its development is largely driven by the security communi- ty. As new vulnerabilities are discovered, its architecture helps developers devel- op working exploits around them. While public repositories of exploit code may be available, code delivered through Metasploit has been pretty well vetted. It is available for Mac and Windows, but It's probably safest to run this on a dedi- cated Linux machine, if you get serious about delving further, Kali Linux is a free download from www.kali.org that contains a host pf pre-installed security tools. For less than $100 for VMWare or VirtualBox, you can set your machine up to run virtual machines, including Kali Linux. Metasploit and SET can be run from this platform.