CYBER INTRUSION: Cyber (In)security

As a security professional, clients look to you to protect their family and property.

As a security professional, clients look to you to protect their family and property. Traditional security systems offer both a proactive deterrent and a reactive response to physical threats from all sorts of “bad guys.”

But what about more covert attacks? What about threats to your client’s personal information? Recent national news has centered on the vulnerabilities of “home automation” systems to hacking. Are you protecting your clients from all types of intrusion?

Let’s take a quick look at some of the common hacker attacks.

Wardriving exploits unsecured or poorly secured wireless networks. Hackers drive around a neighborhood with a laptop or other mobile device scanning SSIDs for networks that either use old encryption methodologies which are relatively easy to crack (such as WEP) or are completely unsecured (require no password to associate with the access point).

Wireless networks can be protected against this attack by using WPA or WPA2 encryption, a strong password and disabling the SSID broadcast if possible. Knowing how to effectively employ VLAN segmentation within the network can make the wireless connection easily accessible for guests without endangering the data or the network.

Social engineering attacks are as much about human psychology as they are about technology; however, it doesn’t make them any less of a threat. A hacker perpetrating a social engineering attack gains sensitive information directly from the victim, using it to transfer funds, make purchases, or gain further access into the victim’s private network via the Internet. The most common type of social engineering attack is phishing. Hackers are becoming more sophisticated in their attacks, however, developing new, convincing stories, even making phone contact to help establish plausibility. It is critical to educate the client on the subject of network security. Most people wouldn’t visit the “bad part” of town at night; in the same way, they should be educated not to frequent websites that could pose security threats. Train your client to develop strong, yet easily memorized passwords such as acronyms, keyboard shifting, and leetspeak.

It is commonly said that the biggest threat to a client’s network is the client themselves, so it’s important to develop a company security policy that clearly outlines the recommendations you’ve made and the homeowner’s own responsibilities in securing the network that they can review and sign.

Port scanning is perhaps the most frightening of the attacks. A port scanner is exactly what it sounds like — a program that searches for open ports on devices that are connected to the Internet. Network ports are like channels that different network devices and services operate through. Many of today’s remote access methodologies open network ports to allow for offsite access (IP surveillance cameras are an especially good example of this). While this technique is usually quick to configure and requires relatively little expertise, it is very insecure because it commonly allows any device on the Internet to request services through the port. Most devices configured for remote access by using open ports require a username and password before allowing access to the device, however, all too often they are easily cracked, guessed, or left at factory default.

Using the example of an IP camera, the hacker now has direct access to a live feed of the client’s home. Some argue that using port address translation can prevent these types of attacks, and while it’s true that this method may delay the hacker, there are only 65,535 possible ports, so with enough processing power, or free time, he will find what he’s looking for eventually. Therefore, I strongly encourage you to learn how to properly configure and implement VPN protocols with effective encryption thereby circumventing the need to use port forwarding.

If you are responsible for recommending, installing, or configuring any device that communicates via a network connection, you need to master the network itself. Otherwise, both you and the client may be left wondering what phantoms are lurking out there in cyberspace.

Contributed by the Custom Electronic Design & Installation Association. To learn more about CEDIA membership visit www.cedia.org/join.

Steven Rissi is technical training manager at CEDIA.

PSA Security Network is one of the nation’s leading sources for education, training, and industry networking events. With multiple settings and events throughout the year to meet and exchange industry knowledge, there is something for everyone.

The Electronic Security Expo, owned by ESA, is designed to help electronic security pros to network with other like-minded professionals and to educate about improving your company’s efficiency and productivity