Steve Green, Business Development Manager at Genetec, examines why physical security professionals are so concerned about credential theft, and how they can mitigate the risk through a layered approach that encompasses people, processes and technology.
Steve Green, Business Development Manager, Genetec
Genetec has just shared the results of its 2022 State of Physical Security report, a survey of over 3,700 industry professionals.
One of the interesting findings from the EMEA region was the large proportion of respondents who considered “Credential theft” as a significant concern. Just over 50% of EMEA respondents identified it as the greatest threat to their organisation versus an average of 39.6% globally.
Credential theft is a form of cybercrime that involves stealing a user’s log-in details or proof of identity to illegally access services or applications. It is often one of the first steps in a targeted cyber-attack and has featured in some of the largest and most damaging data breaches.
Without the right safeguards in place, attacks leveraging a single user’s stolen credentials can begin by gaining access to a single system or device and quickly escalate to the point where customer data, financial information or other sources of personally identifiable information are breached from across a company’s networks. It potentially allows malicious individuals to reset passwords, lock victims out of their accounts, steal private data and even gain access to other devices on the network.
Typically, hackers will target specific individuals with the high-level privileges they are looking for. Or target a low-level, less sophisticated server or platform and look to steadily elevate their access privileges over time. This might be somebody working directly for the company. Or for a third party who has been granted access, such as a vendor, installer or consultant.
For example, back in 2013 Target was hit by a data breach using network credentials stolen from the provider of its refrigeration and HVAC systems. The attackers had no interest in the heating and cooling systems themselves. But using them as an entry point, they were able to gain access to Target’s payment system network and steal the data of approximately 40 million debit and credit cards.
Globally, physical security professionals should be prioritising safeguards against credential theft as they are the ones within their organisations being asked to fight it on two fronts. They’re also commonly viewed as an attractive target by cybercriminals.
They are directly responsible for physical security systems such as access control and must ensure that credential theft doesn’t lead to unauthorised access to sensitive facilities, rooms and equipment. Equally, they have a responsibility to ensure the many IP devices they deploy are managed don’t compromise the cyber security of the network.
Physical security professionals occupy a privileged position as gatekeepers and protectors of valuable information about how their organisations operate. Rightly or wrongly, they’re also sometimes viewed as a weak link from a cyber security perspective. Not all physical security professionals have been given the appropriate training in cyber security practices, despite running large IP-based systems. It has to change as it’s no longer possible to treat physical and cyber as separate disciplines. The two rely entirely on each other and are closely intertwined.
Within EMEA there are also additional external factors that are likely to have placed this front of mind. In Europe, the introduction of the General Data Protection Regulation (GDPR) has helped to make data protection a boardroom issue, with the financial and reputational damage associated with data breaches helping to focus minds. The possible penalties make a very compelling argument for why physical security professionals should be securing additional budget and acting to better secure user credentials.
Credit: Panther Media GmbH/AlamyStock
Across the Middle East I’d argue the amount of new infrastructure being built has helped to drive up cyber security standards for physical security systems. Thankfully, cyber security is now a much bigger factor in physical security tenders than it was in previous generations. The comparative lack of legacy infrastructure in these regions is helping to drive up standards in this regard.
Mediating the risk of credential theft requires a layered approach to security that encompasses people, processes, and technology. Physical security professionals should therefore collaborate and work closely with their colleagues in IT to build a unified plan that covers both physical and cyber security considerations.
It’s by no means definitive, but a good place to start is by looking at the authentication and authorisation practices surrounding already deployed physical security systems.
Authentication is the process of validating the identity of a user, server or client app before granting access. The adoption of two-factor authentication, which requires an additional form of authentication in addition to a username or password, instantly makes the theft of credentials more difficult.
Authorisation is the process of specifying the exact access rights and privileges for each user. By restricting permissions and access only to that which each user requires to do their job, it is possible to significantly reduce the potential damage that could result from stolen credentials.
Finally, it’s important to look beyond the organisation and evaluate the wider physical security supply chain. Anybody with access to physical security systems can be the weak link so it’s important to build a network of trusted providers. That includes the various vendors that provide components of an organisation’s physical security system, as well as those entrusted with installing or servicing the equipment.
Organisations should begin by asking third parties about their own cyber security policies and practices. A company that is serious about security will be only too happy to discuss how they’ll work collaboratively to reduce the risk of credential theft and other cyber-attacks. It’s useful to seek tangible evidence of cyber security best practice. For example, vendors should be willing to provide proof of submitting their software to external penetration testing. And installers should be willing to agree to cyber security awareness training for employees.
In our increasingly connected world, consistently evaluating who has access to what information and for what purpose is important. It’s an encouraging sign that over 50% of EMEA-based physical security professionals view credential theft as the greatest threat to their organisation.
But, there is still much more to be done to get the cyber security of physical security to the levels we all want.
The physical access control market is moving fast. Find out where you stand with the latest edition of IFSEC Insider's comprehensive 2022 State of Physical Access Control trend report, covering all the latest developments within the market. We assess the current technology in use, upgrade plans and challenges, and major trends on the horizon after receiving the views of over 1000 security, facilities and IT professionals.
Get your copy for free today.
