Much like the daily government outrage or presidential tweet, ubiquitous cyber-system breaches have become mind-numbing in their frequency, rendering them almost invisible in their urgency. While the prime-time breaches like those at Equifax, Target and Sony Pictures tend to grab the headlines and reveal the seemingly endless vulnerabilities of traditional IT network systems, there are also a growing number of insidious attacks that are now creating huge implications with regards to the vulnerabilities of network-centric physical security systems.
Just last month, the vpnMentor’s research group’s team of hacktivists discovered the network of The Pyramid Hotel group, which included Marriott and several other top hotel brands across the country, had been penetrated. The Pyramid Hotel Group utilizes Wazuh – an open source intrusion detection system that was on an unsecured server. The hack revealed a cybersecurity leak that included information regarding their operating systems, security policies, internal networks, and application logs and, at the same time, left the door wide open on vulnerabilities in the giant hotel brand’s network that could enable cyber criminals to launch massive future attacks.
The data leaks included all sensitive information that we’ve come to expect from such an attack:
- Server API key and password
- Device names
- IP addresses of incoming connections to the system and geolocation
- Firewall and open ports information
- Malware alerts
- Restricted applications
- Login attempts
- Brute force attack detection
- Local computer name and addresses, including alerts of which of them has no antivirus installed
- Virus and Malware detected on various machines
- Application errors
- Server names and OS details
- Information identifying cybersecurity policies
- Employees’ full names and usernames
- Other telling security data
Expanding Threats, New Risks
However, what makes this attack most concerning to those in charge of physical access control systems – especially those charged with securing hotel and resort facilities – the information reaped from the hotels’ databases allows any would-be attacker the ability to monitor the hotel networks and, according to the vpnMentor team: “gather valuable information about administrators and other users, and build an attack vector targeting the weakest links in the security chain. It also enables the attacker to see what the security team sees, learn from their attempts based on the alerts raised by the systems, and adjust their attacks accordingly.”
The White Hat hackers added that, “It’s as if the nefarious individuals have their own camera looking in on the company’s security office.” They said that in a worst case scenario the leak not only put the hotel networks at risk, but also endangered the physical security of hotel guests and other patrons since bad actors could now potentially compromise multiple devices that control hotel locking mechanisms, electronic in-room safes along with other physical security devices tied to the networks.
After the news of this chilling hotel data breach broke in Forbes magazine, John Carter, co-founder and CTO of ReconaSense, a provider of physical security intelligence and next-gen risk-adaptive access control that offers the industry an advanced security and risk intelligence platform that incorporates artificial intelligence (AI) on an artificial neural network (ANN), admits that despite physical security risks that threaten lives and sensitive data, too many organizations still keep physical security data isolated from infosecurity data. In many cases, a physical wall literally separates a Network Operation Center (NOC) and physical security teams from sharing intelligence.
“Attackers who gain physical access to a computer can further invade and wreak havoc across multiple connected IT systems - and vice versa. In this latest hotel systems breach, cybersecurity flaws expose critical IT data as well as physical security systems such as key cards, video cameras, motion detectors, and other devices that ensure guest and employee safety. AI-powered solutions can detect anomalies and identify threats across an entire security infrastructure (IT and physical) before a breach occurs, enabling teams to go beyond managing siloed data and alerts to achieving true situational awareness and rapid response capabilities,” says Carter.
Finding the Right Solution for the Threat
Carter, who is a former NASA engineer, SIA Board Member and Homeland Security Advisory Group chair, has been involved in the security and access control space for more than 25 years. His background provided insights into the world of cyber and network vulnerabilities as physical access control and video surveillance began to migrate into the IP space. He says that as he and those he has worked with along the way saw where this convergence of physical and logical technologies was taking the industry, it mandated that the way physical security vendors approach solutions require they tread in both worlds. He advises that they create technologies that would move beyond traditional reactive methods to robust proactive and analytical solutions.
“At ReconaSense we decided to go out and build a system, first and foremost, that is an open platform. From my days being on the Security Industry Association board of directors and driving open standards for so long, it only made sense to start from the very beginning with an ability to deal with the open systems and physical security that we are all familiar with, but do it with an eye towards complete interaction with cybersecurity technology. We need to be able to communicate and alert, not just the obvious breach where my system will tell you a couple of things and your system tells me a couple of things, but a real handshake, a real discussion, so to speak, between systems,” Carter stresses. “We have built the system using artificial neural networking and artificial intelligence as a layer above all of the standard systems that we are all used to: physical security, access control, video systems, intruding detection, data systems, and even weather plug-ins at this point. We've done it with an eye towards looking at things that are not traditional policy breaches.”
Carter points out that the ability to incorporate artificial neural networking, where an access control system is learning and training itself to “think” and identify unusual activity that has not broken the defined policy, but provides a scoring matrix that can evaluate risk is a step towards making physical security systems behave analytically.
“When you look at it (physical security systems) in conjunction with a cyber system, they do very much the same thing, looking at the trends, and the habits, and the use of traffic on them, and when they would expect traffic, what files would expect to be hit, and how they would expect those to be looked at and used and manipulated throughout the day. We do the same thing with the physical side and with our cyber-side protection,” Carter says.
Owning the Data and Analyzing It
The hard truth is that many physical security departments rely on an IT department to protect hard data or information – basically leaving cyber network protection to the cyber-side of the house.
“When we look at what happened with the Pyramid Group, we see that really didn't take place. Our system is like a cyber-based system; constantly monitoring the activity of the data systems that we manage and control. That's critical. It is just as critical as being able to lock down a door in an active shooter situation. It is just as critical as being able to dispatch life safety in a physical security event because the data that we're protecting, just like the cyber side of the equation, is life safety, is human assets,” Carter adds.
Carter is adamant about bringing the sophistication and analytic levels of access control systems on par with advanced video surveillance where data-gathering and analytics are scored, and risk dashboards enhanced as a result. He alludes to the fact that many organizations face insider threats that escapes conventional security and risk analytics until it is too late.
“If you look at the hospitality groups, like the one that we just read about, they're open to public areas. There's a lot of activity that is going on, where no rules are obviously being broken, or nothing is being scored, evaluated, or monitored by an AI security-controlled system,” says. Carter. “If you assess video analytics, you're looking for specifics. You might count the number of people that cross a line. You might look for a crowd gathering. You might look for particular license plates. But unless it is breaking a rule, you don't do anything with it. It is crucial now that we do a lot of associations on the physical security side. Say for instance, that a staffer has started coming in later in the evening or coming in on holidays when nobody else is around. That staffer can do that because your role-based access control system allows him to do that, because it can't adapt to risk.”
With advanced AI and learning-based access control systems evolving in the market, Carter is confident the access control environment can now provide the missing link between data and pro-active analytics. He adds: “doing that has made the IT people interested because they see it now more as security information, not just physical control.”
Security versus Convenience
The vpnMentor team calculates after reviewing data going back as far as April of this year when The Pyramid Hotel Group’s servers were either being set up, reconfigured or subject to standard maintenance, indications are that the server was compromised and left open for attack. While records show that Pyramid Hotel Group was quick to rectify the vulnerability, the fact remains that the hospitality sector is not subjected to the same stringent regulatory cyber-risk pressures as others like finance and banking, and therefore may not be as proactive in their security approach.
Security consultant, Distinguished Fellow at the Ponemon Institute and former CSO of Boston Scientific, Lynn Mattice, is vehement that breaches like this are not acceptable and can no longer be ignored.
“With so many cyber breaches having occurred over the last decade and the extensive news coverage they have received, corporate leadership no longer can claim ignorance about their responsibilities relative to maintaining the security over their IT software, hardware and networks.” Mattice claims. “Failure to maintain effective security controls over the intellectual capital of their enterprises in today’s hyper-connected cyber world rises to the level of gross negligence and is a breach of the fiduciary responsibility of corporate executives and their boards of directors.”
For Carter, the breach of the Pyramid Hotel Group and its impact on the access control system was the perfect storm.
“There is always an exciting push out there to say, ‘I am using open-source systems, open source data’ - databases like the one that was used. It was improper configuration and procedural approaches to utilization of technology that was certainly at fault. But even with the technologies that are there, even if you create something that works, so to speak, as an open source that can be implemented and utilized, people that are creating that should, by default, put them in lockdown situations not open to the public,” admonishes Carter. “When you have a wide-open system, you lock down your perimeter and you work back from there. Then you determine who has procedural access to it, or physical access to it, or data access to it. I think so many locations start with wide open because they consider it to be convenient. When you do that and you walk away and you leave it that way, and you're using a third party company to install it that might not be up to speed on the latest approaches to protect information, then this is the kind of the thing that can happen. The technology that they used is convenient. It is open. It is all those things, but it is not necessarily designed for the environment that they utilized it for.”
About the Author:
Steve Lasky is the Editorial Director of Endeavor’s SecurityInfoWatch Security Media, which includes print publications Security Technology Executive, Security Business, Locksmith Ledger Int’l, and the world’s most trafficked security web portal SecurityInfoWatch.com. He is a 32-year veteran of the security industry and a 27-year member of ASIS. He can be reached at [email protected].