SAFEGUARDING YOUR HOMEOWNERS ASSOCIATION AND COMMON AREAS March 2011 www.cybersecurityguy.com 1
2
SAFEGUARDING YOUR HOMEOWNER'S ASSOCIATION AND COMMON AREAS Many Homeowner Associations provide security of their common areas through the use of cardkey access and security cameras, and many of these systems are connected to the Internet and wireless networks to make remote management and access easier. Unfortunately, most Internet and security system installers have little knowledge of Internet-based security threats and proper defenses. Installers generally focus upon enabling this remote access in the simplest manner possible, usually by retaining the default passwords and not enabling any of the optional security features. Most security installers, if using something other than a default password, will use the same password on all their systems, just so that the next security technician won't have a problem getting back into the device later. ENHANCING PUBLIC AWARENESS AND IMPROVING SECURITY It is important to make sure that your environments are secure. It is entirely possible for someone on the Internet to access and control your security camera and badge reader systems. This is especially concerning when dealing with children. Imagine a child predator watching over your HOA video cameras at your pool, waiting for the adult to use the restroom, and then taking that opportunity to unlock the cardkey door system and grab the child. In order to help bring awareness of this situation and advance security in this area, Cyber Security Guy is working with US-CERT and several security device manufacturers to enhance controls in security products and provide better documentation to installers. A first-of-its kind Android application, named Caribou, was developed as a proof-of-concept and shows how easy it is to gain access to widely popular cardkey access control systems. Read more about this and see a demonstration of the Caribou app at www.cybersecurityguy.com. 1
ACTION ITEMS 1. Secure the supporting computer systems. Make sure the computers supporting your security systems are properly secured by following the action items listed in Safeguarding your Windows Computer. 2. Avoid unnecessary network access to your security devices. Avoid placing any security control system, such as a cardkey access system or camera, on the Internet or any wireless network. 3. Enable the security options on your security devices. Review the manual for the security devices and configure any and all security options. Most importantly: A. Configure the security device with a complex password. B. Enable any encryption capabilities. If you have the choice between different types of encryption algorithms, use AES-256 (best) or AES-128. C. Disable any unnecessary services that may be on the device, like TELNET, FTP and TFTP. You'll need to test all of the functions of the device after you've done this to make sure everything is still working properly. D. Change the names or disable any default or built-in account. For example, rename "Administrator" to something unique, and disable the "Guest" account. E. Change the default "TCP" or "UDP" ports the device will be listening to on the Internet. You can think of these numbers like a telephone number extension. Hackers will scan Internet addresses to see if these extensions answer, and if they do, they'll generally know what type of system it is, and what kind of an attack or compromise to use to exploit the system. For example, if the device uses "TCP port 12345", change it to another number higher than 1023, such as "TCP port 52841" (use your own number). You will need to configure the client-side software with the same number. If you interact with the device from a web interface and you change the "TCP port" for this interface, you would insert this number into the URL, so instead of "https://yoursystem" you would use "https://yoursystem:52841". F. Enable logging so that if your device is compromised you have a chance of spotting unusual activity. 4. Restrict Internet access to your security devices. For those systems which must be Internet-accessible, configure your Internet router/firewall to allow access in to these devices on the specific "TCP" and "UDP" ports that are needed. If you have the capability with your router/firewall, also limit the ability to access these devices from specific Internet IP addresses or ranges that you'll be connecting to it from. If you need to access this device from a home Internet connection instead of a business, this becomes slightly more complicated, as your IP address will likely be somewhat random. However, you can still define a range by calling your ISP and asking them for the possible IP ranges that may be used in your area. 5. Try to break into your own system. Test to verify that you cannot get access to your security device in a way other than you have 2
configured it, such as from access from other networks or using different passwords. For more thorough testing, hire a security professional skilled in penetration testing, or perhaps find someone within your own community who would be willing to do this for free. 6. Maintain and monitor the security devices. On a regular basis, check the health of the devices to make sure they are working properly. This is a good time to quickly review any logs that have been enabled to look for signs of unusual activity. FREQUENTLY ASKED QUESTIONS Q. You say that security companies don't do a good job at securing the devices they install against Internet-based threats. Why? A. There is a higher level of skill required when it comes to defending against Internet-based threats. Traditional security companies are generally more focused upon physical security and generally lack people with skills and experience in cyber security. Cyber security professionals generally make upwards of $80,000/year, whereas security installers makes less than half that, so these companies simply can't afford people with this skill set. Q. My installer said that I couldn't change the default password on my device because otherwise their company wouldn't be able to get in to manage it. What should I do? A. I would recommend contacting company management to point out the security issue and request they reconsider. Otherwise, do business with someone else who takes security more seriously. 3