Dispelling the Myths Bad practices still in use that put people and assets at risk
By Will Knehr
We hear the term “best practices” a lot, but the truth is, there are still plenty of bad practices in use that put people and assets at risk every day. Many of those bad prac- tices are grounded in one or more of the following myths that commonly lure people and organizations into a false sense of security. Don’t let these myths be responsible for a breach or an attack via edge devices. Here are five common myths that deserve to be busted once and for all.
1. Micro-segmentation alleviates risk. This myth is based on the opinion that “if I create a security system network that is segment- ed from the operational network, then the devices in this segment are not at risk. No one can access these devices on my network.”
While segmenting the security network from the operational network is a good practice, it is far from a bulletproof cyber se- curity strategy. Back in the early days of the analog to IP transi- tion, a systems integrator (SI) would use segmentation as a way to appease IT departments. DVRs commonly had two network interface cards, one for the device network and one for the opera- tional network, so IT departments felt confident in only having to monitor two connections.
Unsurprisingly, this became a best practice for decades. In truth, it is easy to improperly create a segmented network that exposes backdoors. As more operational technology and indus- trial IoT gets connected, it’s clear that the internet is far from the only attack vector. There are plenty of insider threats to consider along with innocent mistakes when users, just trying to get some- thing to work, assume that if it has Wi-Fi or an Ethernet jack they can just plug it in.
Take any of the above and sprinkle it with a “set it and forget
it” mentality, it becomes paramount to go beyond simply seg- menting a network to be truly secure.
2. Life cycle management. If it’s is not broken, then don’t fix it. It can be a tough one to crack for many organizations. Unfor- tunately, “if it’s not broken, then don’t fix it” typically leads to a “we don’t need to update the firmware” mindset. This myth also encompasses a “products don’t need to be cycled out if they are still working” sentiment.
Without robust life cycle management of security devices, ex- ploits and backdoors that hackers expose only increase the vulner- ability of these devices over time. A critical part of any cyber secure implementation is ensuring devices are updated with the latest firm- ware so that any known weak points are patched. It is the manu- facturers’ responsibility to keep their devices secure, but it’s also the integrators’ responsibility to keep systems they support up to date.
Finally, no life cycle management would be complete without a strategy for changing out end-of-life or end-of-support devices. In either case, just because it is still running is not a reason to leave it on the network.
3. Identity management. One admin account is fine for all. This myth is more commonly believed than you might think. The thought is that one admin account can be used across an SI or end user’s entire installed base. The thinking seems to be that such an account is secure because it’s not with the end user or at least not with day-to-day users.
Like everything else, usernames and passwords must be prop- erly managed. A best practice is to create multiple usernames and passwords so that the VMS connects with one username/password combination, the IT department has another, and the contracted maintenance techs have their own too. This helps a device log dis-
38
SEPTEMBER/OCTOBER 2022 | SECURITY TODAY
CYBER SECURITY
BeeBright/Shutterstock.com