Delegates attending this week’s Specifying Security Technology Course have been hearing about the many advantages of putting physical security technology, such as access control systems, CCTV and building intrusion detections systems onto an IT backbone.
But IT expert Derick Burton has warned about the potential exposures that this brings with it.
Citing a parallel and often precarious situation with SCADA systems (the IT systems that control critical operational processes) he advised that IT networks carrying security systems should be separated from those which provide general IT services, especially Internet connectivity.
One risk, highlighted by David Cresswell is that of security guards who might be tempted to use the Internet to access webmail or other Internet services, and inadvertently introduce malware into the IT programs managing the physical security systems. Social engineering scams designed to trick users abound, such as the latest email scam (pictured above), which claims to come from MSN and attempts to dupe users into running a video, at which point their computer and its programs become infected with the Trojan Trojan.Agent.AGGZ.
Another risk is that of the "drive-by download" – by simply landing on certain web pages the computer becomes infected automatically. It is estimated that as many as 1 in 100 web pages may be infected. A third risk is that of opening email MS Word attachments such as those asking users to fill in a form for a job search. Some of these activate malware which allows other Internet users to hack directly into the host’s hard drive and steal data. Thus, theoretically system compromise by social engineering of an IT system managing a CCTV network could allow your confidential CCTV images to be viewed from anywhere on the planet without your knowledge.
The solution to this is NEVER to allow Internet access or email on those systems which manage physical security technology unless you have a very IT-savvy and completely trustworthy security operator, who is kept fully up-to-date with the dangers of IT-based malware and social engineering.
For more details on the Specifying Security Technology Course click here. To register your interest for the next course, or to obtain a detailed product sheet, contact Janet.