This article was first published in 2022 and is now updated with cybersecurity recommendations for schools.
This article was first published in 2022 and is now updated with cybersecurity recommendations for schools.
Popular notion dictates that security systems at public sector organizations should be safe from
cyberattacks. But are they? This article discusses public sector security system vulnerabilities and ways to amend them.
Security systems for public sector entities, for example
government offices and
public schools, are believed to be safe from cyberattacks. After all, these systems are intended to protect lives, assets and sensitive data held by public offices. A cyberattack can lead to dire consequences.
But things can’t be further from the truth. Consider the following reports. Days before former US President Donald Trump’s inauguration in 2016, hackers infected Washington DC police video surveillance cameras with ransomware, rendering 123 of them unusable. In 2018, a Virginia high school student gained access to a school security camera, took screenshots of his friend and posted the images on the school’s website.
What makes public sector security systems vulnerable
So why do things like this happen to public sector security systems? Mathieu Chevalier, Lead Security Architect at Genetec, offers some reasons.
“Many public sector facilities continue to use older models of security cameras and door controllers, replacing them only when necessary or when their capital cost has been fully amortized. Older devices, especially cameras, often present a significant cyber risk because of their limited security capabilities and ability to be kept up to date,” Chevalier said, adding inadequate maintenance, a knowledge gap in these organizations and the
pandemic have also contribute to the problem.
“As millions of people began working from home, organizations faced new challenges around protecting their spaces. According to Morgan Wright, a Center for Digital Government (CDG) Senior Fellow, ‘When fewer people are working in buildings, organizations need more technology to maintain physical protection,’” Chevalier said.
As for what types of attacks public sector security systems are susceptible to, Chevalier cited as an example Mirai, which is still active and has continued to evolve.
“In 2021, security researchers discovered that a Mirai-based botnet, called Moobot, uses another technique to infect video surveillance devices made by the Chinese manufacturer Hikvision, which are embedded in many OEM solutions. This technique injects malicious code into the device, then checks the network to find additional devices to infect. Although a software patch is available to close this risk, IT teams may not know which installed cameras should receive it,” Chevalier said. “Mirai continues to evolve its capacity by incorporating recent high profiles vulnerabilities. It recently incorporated the spring4shell vulnerability, for example.”
Chevalier further demystified the notion that only limited threats can be made through a physical security device. “Recognized threats often include the ability to remotely stop the video feed from a camera, open or lock a door, or disrupt critical building systems. Yet most cyberattacks are not intended to compromise the physical safety of people or property. Instead, these attacks target applications, files and data managed by IT. An attack that originates in a camera can find its way through the network to block access to critical applications; lock and hold files for ransom; and steal personal data of government employees, students and suppliers,” he said.
What steps can be taken
Given cyber threats against public sector security systems are real and impactful, operators and users should take measures to prevent attacks from happening. According to Chevalier, an integrated security team can produce an effective review of needed cybersecurity improvements across physical security devices and systems, and this review should include several key areas of focus including:
Improve security monitoring: Ensure all network-connected physical security devices are monitored and managed by the IT tools for network and security management.
Strengthen protection measures: Look for ways to improve existing configurations and management practices for physical security devices, including:
- Using secure protocols for connecting the device to the agency network
- Disabling access methods that support a low level of security protection
- Verifying configurations of security features and alerts
- Replacing defaults with new passwords that are changed on a regular and verified schedule
Implement encryption: End-to-end encryption offers the most security to protect video streams and data as they travel from the physical security device to a management system for viewing.
Enhance access defenses: Strengthen the security of user and device access with a multilayer strategy that includes multifactor access authentication and defined user authorizations.
Improve update management: When the teams are joined, define who has responsibility for maintaining awareness of when updates are available. Then, define who has responsibility for vetting, deploying and documenting updates on all eligible devices and systems.
Planning a replacement program: After an assessment of current physical security elements, it may be clear that some devices — and perhaps the VMS or ACS — present a high cyber risk and should be replaced. Replacement priorities can also be determined by location, use case, device type or age.
In the end, it is imperative for public sector users to attach an equal importance to their premises’ physical as well as cybersecurity. “Organizations in the public sector need to think about how they deploy physical protection technologies so that they can better control access to sensitive and restricted areas and, at the same time, increase the cybersecurity of their networks. They need to look at deploying new technologies, establishing new staff roles, and implementing new practices that will strengthen both physical and cybersecurity,” Chevalier said.
School cybersecurity recommendations
Public schools are an important part of the public sector. More and more, K-12 schools are faced with cyberattacks and threats against their network, of which IP security systems are a part. Protecting against these attacks, then, becomes critical.
According to the Cybersecurity Assessment of the 2022–2023 School Year report by Center for Internet Security (CIS) and Multi-State Information Sharing and Analysis Center, school officials cited below as their chief cybersecurity concerns: lack of sufficient funding, increasing sophistication of threats, lack of documented processes, lack of a cybersecurity strategy, and inadequate availability of cybersecurity professionals.
Ransomware and malware continue to be one of the top concerns for K-12 organizations. The report cited the top 10 malware affecting K-12 schools being, from No. 1 to 10: Qakbot, CoinMiner, Tinba, Agent Tesla, Gh0st, Laplas, ArechClient, ZeuS, Ratenjay and Adadey.
“QakBot is a versatile banking Trojan with a wide range of capabilities, including enumeration, lateral movement through SMB, keylogging to steal user credentials, network traffic monitoring, and the ability to deploy additional malware,” CIS said. “After its operators are done with an infected host or network, QakBot uses Cobalt Strike modules to sell or grant access to other cyber threat actor (CTA) groups. It spreads primarily through malspam, often involving thread hijacking.”
To prevent and counter these malware attacks, CIS recommends K-12 schools have in place an incident response (IR) plan, which should include the following four steps:
Plan: Develop documentation for all procedures necessary to handle an incident;
Detect: Monitor enterprise assets and analyze intelligence to understand if an incident has occurred;
Respond: Activate the incident response plan to deal with an incident;
Update: Understand which portions of the incident response plan have been effective and update the plan accordingly.
“The primary goal of IR is to identify threats on the enterprise, respond to them before they can spread, and remediate them before they can cause harm. One crucial aspect of incident response planning is making sure your plans can be efficiently executed when an incident occurs,” CIS said.