Beyond the Surface.
Overcoming the Vulnerabilities of IP-Based Security.

It’s not so long ago that the business of keeping a physical site secure was straightforward, grounded in physical and isolated systems.

With little more than a series of CCTVs connected by coaxial cables, and alarm systems triggered by opening windows or doors, security installations were unencumbered by software vulnerabilities or network breaches.

These systems enjoyed some attractive benefits over present day security architectures. The data, such as video recordings, was stored on tapes that needed physical retrieval for viewing, making theft physically demanding. Because these systems were not connected to the internet, they were insulated from remote hacking. There were no passwords to be stolen, no firmware updates needed, and no worries about software patches.

The contrast with today is stark. Modern systems are integrated and interconnected, capable of being managed remotely and frequently reliant on the internet. While this provides flexibility and scalability, it introduces points of vulnerability that simply did not exist before.

How today’s security estates function.

 

The architecture of security systems has of course evolved dramatically. The shift to IP based systems transformed how we monitor, control, and secure both physical and digital spaces. This is fuelled by the advent of the IoT, which allows a vast array of devices to be interconnected, offering unprecedented control and monitoring.

Modern systems are considerable feats of integration, combining video surveillance, access control, environmental monitoring and more into a cohesive network, leveraging the internet to provide real-time surveillance and remote management.

As an example, a state-of-the-art security setup at a remote construction site might include mobile units equipped with facial recognition technology to control access, while CCTV systems monitor for safety and security breaches. Smart locks manage entry to restricted areas, and advanced motion sensors detect unauthorised movement, instantly alerting security personnel via smartphones or other devices. These systems are complemented by ANPR technology to track vehicle movements, enhancing logistical efficiency and security.

The advantages are easy to see. By reducing the need for constant human monitoring, modern systems lower staffing costs. Real-time and wider surveillance capabilities allow for comprehensive monitoring of large and multiple areas, including mobile and remote locations. Today’s systems can intelligently analyse data to detect anomalies, from unauthorised entry to environmental hazards like smoke or toxic gas leaks, enabling rapid response. The centralisation of monitoring and control functions onto Cloud-hosted platforms facilitates efficient management of security operations across multiple locations.

The shift from isolated, analogue systems to interconnected, digital platforms has not only enhanced the scope and efficiency of security operations but also introduced new dynamics in security management. Businesses and solution providers can now integrate disparate components into a unified surveillance and security network, providing more complete oversight and significantly improving the capability to manage security remotely.

The vulnerabilities and challenges of modern IP-based systems.

 

Thankful as we should be for the capabilities of modern IP-based security systems, we must also confront their vulnerabilities. These systems open up new vulnerabilities that can compromise both the security of data and physical premises. Understanding these is crucial for mitigating risks and enhancing overall security.

• Default usernames and passwords: Many devices come with factory-set default credentials, often readily available to the public or easily guessable. Failure to change these leaves the system wide open.
• Lack of segmentation: Without proper network segmentation, a breach in one part of a system can spread to other areas, leading to widespread security failures. Effective segmentation limits the damage that can be inflicted.
• Open ports: Essential for remote access and communication, open ports are entry points for attackers. These require continuous monitoring and stringent access controls.
• Wireless connections: While offering flexibility and reduced installation costs, wireless networks are susceptible to eavesdropping and interference. Securing them requires robust encryption and continuous vigilance.
• Outdated firmware and cryptography: Security devices and protocols that are not regularly updated to address known vulnerabilities provide easy targets for attackers.

 

The consequences of these vulnerabilities can be severe. A breach in a system can lead to unauthorised access to live and archived video feeds, compromising the privacy and security of individuals and assets. In industrial settings, hackers can take control of operational technology, leading to potential physical damage or disruption of critical processes.

 

Why a better solution is required.

 

With IP-based security systems today ubiquitous, a robust defensive strategy is now more critical than ever.

Hackers may not be interested in the security installation itself, but simply be looking for a vulnerability as a way in to a company’s network to gain access to customer information, financial records and intellectual property. Alternatively, their intention may be to launch disruptive attacks designed to cause chaos or damage reputation or disrupt operations. This could include DDoS (Distributed Denial of Service) attacks, malware infections, or tampering with critical systems to render them unusable.

Attacks of this kind are becoming more prevalent and sophisticated, with hackers leveraging AI and Machine Learning to enhance their capabilities in identifying vulnerabilities in the public-internet-facing network attack surface of security systems.

AI-powered tools expedite the scanning and reconnaissance of networks, swiftly identifying vulnerabilities and potential entry points. These tools are complemented by machine learning algorithms that enable attackers to adapt their strategies dynamically, tailoring their methods in response to the defensive mechanisms they encounter.

AI is also adept at recognising patterns and anomalies within network behaviour – signals that often pinpoint security weaknesses. AI’s advanced natural language processing capabilities are also frequently employed in crafting convincing phishing emails and social engineering schemes, meticulously customised to increase the likelihood of deception. Once vulnerabilities are detected, AI can automate the process of exploitation, generating and executing attacks with minimal human oversight. This includes predicting zero-day exploits before they become public knowledge, allowing attackers to strike pre-emptively.

Additionally, AI aids in the development of malware designed to evade traditional security controls, such as antivirus programs and signature-based detection systems, by altering its behaviour or structure to remain undetected.

The consequences of a successful network breach can be severe. The necessity is thus to address vulnerabilities proactively, to review and manage the attack surface and understand how end-points and devices are connected so as to safeguard against malicious attacks and unauthorised access and maintain data privacy.

One approach is to secure devices using Carrier Grade NAT to translate from a private to public IP address. However, this is really only suitable where a device initiates the transmission and not if remote access is required for management and updates. In this case, a public IP address is needed which then leaves the device open to attack.

As a result secure networks are often implemented using encryption algorithms and IP Sec VPN tunnels. As the number of devices connected increases, however, these become exponentially more complicated and time consuming to deploy..

 

The challenge of achieving an all-round better solution.

 

The growing complexity and interconnectedness of modern security systems necessitates a proactive approach to manage and secure the network infrastructure effectively. As the number and variety of connected devices increase, the attack surface of a network expands, with each device potentially offering a gateway for unauthorised access. Managing this requires a comprehensive review of how devices are interconnected and the potential vulnerabilities each connection introduces.

In tandem, modern networks employ sophisticated encryption algorithms, IP Sec VPNs, and other tunnelling protocols to secure data in transit. As the scale of the networks grows, so does the complexity involved in updating managing, and supporting them. Each addition or change to the network introduces potential points of failure and vulnerabilities that need to be managed to avoid compromising integrity.

To effectively safeguard against these threats, regular reviewing and updating of the network configuration and security settings is required to ensure all components are operating with the most current security protocols. Robust encryption methods are needed to protect data at rest and in transit, making it more difficult for unauthorised parties to access or intercept sensitive information. The network can also be divided into smaller, manageable segments so that potential breaches can be isolated and stopped from spreading.

Implementation of these measures is resource-intensive and time-consuming. It requires continuous monitoring and rapid response capabilities, which can strain an organisation’s operational capacities. What’s more, setting up and maintaining such a system often leads to human errors, which can undermine the entire infrastructure.

A better solution altogether?

 

This catalogue of challenges highlights points to a conclusion that the time has come for a robust and effective solution which can secure security installations, eliminating their inherent vulnerabilities.

As exposure to the public internet lies at the heart of the majority of such vulnerabilities, the most desirable solution is for a network able to connect unlimited devices, systems, locations, and applications without exposure to the public internet. In effect, a fully secure, private network with fast, easy connection, control and communication between all devices.

Such a network (Spitfire’s ‘One Network’ is currently the sole example of this to represent a realistic model for SME organisations) offers a paradigm shift in how security systems are deployed and managed.

A private, closed network, this avoids the public internet entirely. This not only enhances security but also simplifies the management of security systems. By eliminating the internet it reduces the attack surface, making it far more difficult for attackers to find vulnerabilities. Since all data remains within the private network, the risk of interception or unauthorised access is minimised.

Operational benefits are substantial. By using a single secure network for all communications, the need for multiple complex configurations and management of different internet-based security systems can be eliminated. Deployment becomes faster and less complicated, as the network architecture is simplified and standardised. Costs associated with securing internet-facing interfaces are also reduced, lowering operational expense.

The design of a single network architecture of this kind allows for flexibility in deployment, making it suitable for environments ranging from remote sites withoutfixed line internet access to urban settings where security and speed are paramount. For example, a construction site could use mobile data SIMs for device connectivity, high-quality CCTV through fixed line fibre circuits, and direct Cloud platform access, all within the same secure network.

This not only meets the needs of modern security demands but also offers a robust framework that can adapt to future challenges without the overhead or vulnerabilities of traditional IP-based systems.

 

Securing the best of both worlds.

 

The progression from isolated, standalone security systems to systems on interconnected, complex networks undoubtedly increased our security capabilities, but at the cost of introducing new risks and challenges.

With secure, private networks today a realistic option for SME businesses (through products like Spitfire’s One Network), why not leverage a solution that delivers all of the security features and functionality of the best, modern day installations, without any of their inherent vulnerabilities?

 

As published in Security Matters, May 2024