Many counties, cities and municipalities make their facilities available to outside community groups for meetings, seminars and other activities. While a generous gesture, what has become increasingly apparent, and alarming, is the significant numbers of these facilities that have network Local Area Network (LAN) ports that are open and expose the organizations’ network security vulnerabilities without any controls or mechanisms to limit access to authorized individuals.
In the course of my job, I spend a decent amount of time at government facilities, such as administration buildings, remote government offices and police stations (which often serve double duty as back-up data centers). And on a semi-regular basis, when I ask my clients the question “If I plug my laptop into that port over there, will I have access to the network?,” their response is a reluctant “Yes.” Not shocking, but still alarming. Government entities, large and small, whose responsibility it is to provide services to their constituents, traditionally have networks that are wide open.
These network security vulnerabilities are everywhere, spanning large campus-style environments to multi-story office buildings. No matter the configuration, the problem is the same. Open network ports provide easy access for anyone, even an innocent citizen who happens to be showing a YouTube video on how to do a crochet project to the Girl Scout troop after school one evening. Who’s to say the laptop the troop leader is using hasn’t been infected with some malware or bot that has gone unnoticed by their pre-installed antivirus provider? Or worse yet, maybe it doesn’t even have an A/V solution installed. Once they connect, in theory, their system has free reign over the network and all the organization’s unsecured endpoints.
This is a specific example, but the scenarios are vast and varied: it could be a contractor doing some heating, ventilation and air conditioning (HVAC) work, it could be a Toastmasters meeting, even a part-time employee. The point is, at any given time, the network, and all of the computers and resources on it, are potentially vulnerable to exploitation.
Now, imagine there are collections of Internet of Things (IoT) devices, like door badge readers or security cameras—all there for the taking. These “dummy” devices all perform a function. For example, they wait for an electronic signal from a badge, do a verification, lookup against a back-end system (i.e. computer), then unlock the door. The security camera is capturing frames and sending them to some back-end storage environment (yep, you guessed it, another computer), maybe the video goes through an additional step of processing (and one more computer) before getting stored.
You see how quickly the network vulnerability issue becomes exacerbated, right? Each and every one of those connected devices is a potential target that needs to be watched and monitored. You need to validate that those devices are doing what they’re supposed to be doing and communicating to the systems they’re supposed to be communicating with. If you can’t, then you’re exposed and vulnerable to exploits of devices you have little to no visibility of.
So, how should municipalities address securing their networks? What capabilities need to be included? What ramifications should they consider when pursuing a solution?
Stay tuned for my next blog for those answers.