Cyber 101 for Physical Security Practitioners
When it comes to cybersecurity, there are many terms and concepts that are beneficial for physical security professionals and IT professionals alike to understand. Oftentimes, these terms are incorrectly used or interchanged—which can create confusion.
Vulnerabilities versus Exploits versus Backdoors
Three of the most confused terms are vulnerability, exploit, and backdoor. Each of these terms has its own distinctly different definition and purpose.
A vulnerability is a flaw in a system, or in some software within a system, that could provide an attacker with a way to bypass the security infrastructure of the host operating system or of the software itself. It isn’t an open door but rather a weakness that, if attacked, could provide a way in. All software has flaws or vulnerabilities, which are usually discovered over time. A software company’s internal testing will generally try to eliminate all of them before release, but it’s impossible to test software in every different network and system integration.
A vulnerability scan doesn't mean that the vulnerability has been exploited.
Once an attacker finds a vulnerability in a software’s code or in a system, an exploit is achieved by painstakingly figuring out how to take advantage that vulnerability for the purpose of a malicious act. Exploiting is the act of trying to turn a vulnerability (a weakness) into an actual way to breach a system. A vulnerability can be “exploited” to turn it into viable way to attack a system.
Turning a software vulnerability into an exploit can be hard. Google, for example, rewards security researchers for finding vulnerabilities in its Chrome Web browser. The payouts Google makes are in the range of $500 to $3,000. However, it also runs competitions for security specialists to present exploited vulnerabilities. These specialists are awarded much larger sums—as much as $60,000—for their work. The difference in payouts reflects the magnitude of the task when trying to exploit a vulnerability.
Backdoors are entrances often to the management functions of a device, intentionally placed there by the code developer. This is commonplace in the development of code since it can be difficult to predict what may happen when new code or features are being added. If something goes wrong during the development process, the backdoor allows the developer to get back into the code or device. The backdoor is then typically removed from the code before it is released for use by customers.
Vulnerability Scan versus Penetration Test
Like the aforementioned terms, assessments or tests related to cybersecurity are often confused. Two of the most common are the vulnerability scan and the penetration test (also known as a pen test or pentest).
A vulnerability scan is an automated, high-level test that looks for and reports potential or known vulnerabilities. In contrast, a penetration test is a detailed, hands-on examination conducted by a real person who tries to detect and exploit weaknesses in your system.
Vulnerability scans are a snapshot in time that compare known vulnerabilities to a product’s current software/firmware version and configuration. A vulnerability scan doesn’t mean that the vulnerability has been exploited. Furthermore, vulnerability scans are unable to predict future vulnerabilities. Since they simply scan devices seeking documentation, they are not proof of any overall system security and should be followed up on.
Governance, Risk Management, Compliance, and Regulation
Governance, risk management, and compliance (GRC), along with regulation, are all closely related concepts that aim to assure an organization reliably achieves objectives, addresses uncertainty, and acts with integrity.
Governance is the combination of processes established and executed by the directors (or the board of directors) that is reflected in the organization’s structure and how it is managed and led toward achieving goals.
At the end of the day, a business must comply with regulations—the minimum requirements.
Governance comprises not only the external regulations a business must comply with, but also the internal guidance a business applies to itself to manage risk and threats. This further protects the business beyond just what regulations mandate. As an example, PCI-DSS (Payment Card Industry Data Security Standard) imposes regulations on a bank regarding using encryption to protect payment and credit card data. The internal governance from the bank can take things a step further by writing a policy that requires the encryption of all data on the company network. Now the bank is not only protecting the payment data, but all its data—thereby further reducing the risk of other critical business information from being intercepted.
Risk management involves predicting and managing risks that could hinder the organization from reliably achieving its objectives under uncertainty.
When it comes to risk management, a good starting point is for businesses to evaluate their potential cybersecurity risks in terms of their probability and their potential impact. In doing so, it’s important for a business to identify the data, devices, systems, and facilities that help it achieve its goals, as well as identify who’s responsible for them. This includes inventorying devices, systems, software, firmware, etc.; identifying mission-critical objectives; identifying procedures and security policies; and then performing a risk assessment and determining a risk management plan. There are solid risk management frameworks that exist to support companies in their evaluation process. A good example is the NIST Cybersecurity Framework.
Compliance is the adherence to mandated boundaries (laws and regulations) and voluntary boundaries (corporate policies, procedures, etc.).
Essentially, compliance is the process of ensuring that the business is adhering to the control objectives outlined by governance and regulations. It can consist of testing (penetration testing or internal testing) to ensure that (like in the bank example) all data is encrypted. It also provides documentation or proof that a business is backing up its stated policies with actions.
This is important because in some regulations—like ISO 27001, SOC2, or U.S. Department of Defense’s Cybersecurity Maturity Model Certification—external auditors will verify that the business is doing what the policies say they are doing.
This process is important because if someone misconfigures a device and it’s not encrypted, a breach could occur. In this instance, the bank must prove to a court that it was not negligent. The bank will need to demonstrate through policies, testing, and auditing that the business did take steps to prevent the breach. Compliance helps prove that the business wasn’t reckless. Obviously the fine or penalties the business would pay would be many times more if it is found negligent.
Regulation is management by a governmental administrative agency that has been granted the authority to oversee and enforce proper conduct—via regulations or rules—within a given area of responsibility.
Regulations (and legislation, or proposed regulations) are what a business is mandated to do. Regulations come in three basic forms: contractual, statutory, and regulatory. Depending on the type of business a company is running, it will have more or fewer regulatory obligations compared to other companies. For example, a chain of coffee shops will have far fewer regulatory obligations than a hospital, bank, or a government contractor.
At the end of the day, a business must comply with regulations—the minimum requirements. The intent should be to take these minimum requirements and create policies and extract control objectives out of them. Regulations are often the starting point for policies.
Risk versus Threat
Risks and threats are two other terms that are often used interchangeably, and thus incorrectly. To better understand these terms, consider that you have an asset that you’re trying to protect and, like all assets, it has a vulnerability. With a vulnerability, there exists the threat that someone could exploit that vulnerability. The magnitude of the threat depends on the likelihood of someone exploiting the vulnerability. The risk is the potential impact to or loss of the asset to the business if the threat does occur or the vulnerability is exploited.
Wayne Dorris, CISSP, is the business development manager cybersecurity at Axis Communications and serves on the Security Industry Association’s Cybersecurity Advisory Board.