Showing posts with label Access Controls. Show all posts
Showing posts with label Access Controls. Show all posts

March 9, 2014

SCADA in Pictures




So SCADA are Supervisory Control and Data Acquisition systems.

They are a form of Industrial Control Systems (ICS) that monitor and control major industrial processes from power generation, transmission, and distribution, to water treatment, chemical production, air traffic control, traffic lights, building controls, and more. 

These are part of our nation's critical infrastructure. 

In the lab, we are able to use tools to capture and analyze communication packets and edit and re-use them to: 

- Turn on and off lights

- Open/close perimeter gates

- Control water and gas pipelines

- And even open and close a bridge

This was very scary!

No one, unauthorized, should be able to do this in real life, in the physical world. 

This is a major security vulnerability for our nation:

- SCADA systems should not be openly available online, and instead they should be able to be controlled only either locally or remotely through an encrypted virtual private network (VPN).

- SCADA systems should not be available without proper access controls--there must be credentials for user id and passwords, and even two-step authentication required. 

No one but vetted, cleared, authorized, and trained personnel should be able to monitor and control our critical infrastructure--otherwise, we are giving them the keys to disrupt it, destroy it, and use it for terror. 

We owe our nation and families better, much better. 

(Source Photos from lab: Andy Blumenthal)

Share/Save/Bookmark

February 27, 2014

Newspaper, Identity Thief

So, true story.

I know identify theft is a serious matter, but really...

I'm heading out of the driveway and I see the newpaper delivery guy just pulling up.

He's running a little late, but I figure I can still get the paper in time for morning reading on the Metro. 

I walk over to him and ask if I can get the Journal that he's deliverying to me.

He says, "No, I only deliver the Wall Street Journal and the Post."

I say, "Yeah, the Wall Street Journal, can I get it, since you're running a little late this morning."

He says. "I'm never late!"--actually, he is and sometimes doesn't deliver at all (the other week, I got 3 papers in one day). 

I say, "OK, but I can take it from here."

He says, "No, I only deliver to the door."

I say, "But I'm right here."

He says, "How do I know you are who you say you are?"

I say, "I am, and thank G-d, I really don't need to steal a $2 newspaper from you, Sir."

He says, "Okay, but I'll need to see an id!"

I say, "Are you serious?"

He says, "Yeah," pulling back to safety the pile of newspapers he is holding is his arms. 

Reluctantly, I flip open my wallet and flash my license to him.

Not good enough...he insists I take it out so he can read it. 

I finally got the paper, but we wasted what seemed like 5 minutes between the negotiation and proof of identity exercise. 

Don't get me wrong, I appreciate his diligence, but I think this type of scrutiny over access and identity would be better placed squarely on our cyber assets--somewhere where we really need them! ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

August 25, 2012

Choke Points to Checkpoints


This is some promising biometric technology from AOptix

Enrolling in the system is the first step and means just seconds of standing in the capture field of the slender tower, and the device scans both iris and face of the person. 

The scanning captures images within seconds and the software converts the images into binary code. 

It then subsequently scans and matches the person's biometrics against the database for positive identification. 

The beauty of this system is that it is simple and fast and can be used for passenger screening, immigration, or any other access control for entry/egress for a building, location, or even to a computer computer system and it's information.

According to Bloomberg Businessweek, the Insight Duo Towers sells for $40,000 each.

Eighty of these are currently in use at all air, land, and sea borders in Qatar.  Further, Dubai International Airport has been piloting this at a terminal that handles 40 million people per year, and it has cut immigration waiting times from 49 minutes to 22 seconds. 

This technology has obvious important applications for military, law enforcement, and homeland security, as well as even more generalized security use in the private sector.

And while very impressive, here are some concerns about it that should be addressed:

1) Enrollment of Biometrics and Personal Identification--registering for the system may only take a few seconds for the actual scan, but then verifying who you are (i.e. who those biometrics really belong to) is another step in the process not shown.  How do we know that those iris and face prints belong to Joe Schmo the average citizen who should be allowed through the eGate and not to a known terrorist on the watch list?  The biometrics need to be associated with a name, address, social security, date of birth and other personal information.

2) Rights versus Recognitions--rights to access and recognition are two different things. Just because there is iris and facial recognition, doesn't mean that this is someone who should be given access rights to a place, system or organization.  So the devil is in the details of implementation in specifying who should have access and who should not. 

3) Faking Out The System--no system is perfect and when something is advertised as accurate, the question to me is how accurate and where are the system vulnerabilities. For example, can the system be hacked and false biometrics or personal identification information changed?  Can a terrorist cell, criminal syndicate, or nations state create really good fake iris and facial masks for impersonating an enrollee and fooling the system into thinking that a bad good is really a good guy. 

4) Privacy of Personally Identifiable Information (PII)--not specific to AOptix, but to this biometric solutions overall--how do we ensure privacy of the data, so it is not stolen or misused such as for identity theft.  I understand that AOptix has PKI encryption, but how strong is the encryption,who long does it take to break, and what are the policies and procedures within organizations to safeguard this privacy data.

5) Big Brother Society--biometrics recognition may provide for opportunities for safe and secure access and transit, but what are the larger implications for this to become a "big brother" society where people are identified and tracked wherever they go and whatever they do. Where are the safeguards for democracy and human rights.

Even with these said, I believe that this is the wave of the future for access control--as AOptix's says, for changing choke points to checkpoints--we need a simple, fast, secure, and cost-effective way to identify friends and foe and this is it, for the masses, in the near-term.

Share/Save/Bookmark

September 9, 2011

Visualizing IT Security


I thought this infographic on the "8 Levels of IT Security" was worth sharing.

While I don't see each of these as completely distinct, I believe they are all important aspects of enterprise security, as follows:

1) Risk Management - With limited resources, we've got to identify and manage the high probability, high impact risks first and foremost.

2) Security Policy - The security policy sets forth the guidelines for what IT security is and what is considered acceptable and unacceptable user behavior.

3) Logging, Monitoring, and Reporting - This is the eyes, ears, and mouth of the organization in terms of watching over it's security posture.

4) Virtual Perimeter - This provides for the remote authentication of users into the organization's IT domain.

5) Environment and Physical - This addresses the physical protection of IT assets.

6) Platform Security - This provides for the hardening of specific IT systems around aspects of its hardware, software, and connectivity.

7) Information Assurance - This ensures adequate countermeasures are in place to protect the confidentiality, integrity, availability, and privacy of the information.

8) Identification and Access Management - This prevents unauthorized users from getting to information they are not supposed to.

Overall, this IT security infographic is interesting to me, because it's an attempt to capture the various dimensions of the important topic of cyber security in a straightforward, visual presentation.

However, I think an even better presentation of IT security would be using the "defense-in-depth" visualization with concentric circles or something similar showing how IT security products, tools, policies, and procedures are used to secure the enterprise at every level of its vulnerability.

IT security is not just a checklist of do's and don't, but rather it is based on a truly well-designed and comprehensive security architecture and its meticulous implementation for protecting our information assets.

Does anyone else have any other really good visualizations on cyber security?

(Source Photo: here)

Share/Save/Bookmark