1 00:00:00,250 --> 00:00:02,780 Premise System Vulnerabilities. 2 00:00:02,780 --> 00:00:06,470 In this lesson, we are going to talk about premise systems. 3 00:00:06,470 --> 00:00:08,830 Now, what is a premise system? 4 00:00:08,830 --> 00:00:11,000 Well, a premise system is a system used 5 00:00:11,000 --> 00:00:14,110 for building automation and physical access security. 6 00:00:14,110 --> 00:00:16,830 And these are a different type of network, as well. 7 00:00:16,830 --> 00:00:19,060 Oftentimes, you'll have this as a third network 8 00:00:19,060 --> 00:00:20,470 in your organization. 9 00:00:20,470 --> 00:00:22,330 When you're dealing with this and you go to your front door 10 00:00:22,330 --> 00:00:23,500 of your building and you try to get in 11 00:00:23,500 --> 00:00:25,020 and use your card and your PIN, 12 00:00:25,020 --> 00:00:27,800 that has to go through some kind of an access control system. 13 00:00:27,800 --> 00:00:29,490 That is a premise system, right? 14 00:00:29,490 --> 00:00:31,520 That is physical access security. 15 00:00:31,520 --> 00:00:33,130 If I look at the security cameras, 16 00:00:33,130 --> 00:00:35,390 those are part of your premise system, as well. 17 00:00:35,390 --> 00:00:37,720 Now, when we deal with a premise system, 18 00:00:37,720 --> 00:00:39,100 a lot of these system designs 19 00:00:39,100 --> 00:00:41,340 are going to allow for monitoring to be available 20 00:00:41,340 --> 00:00:43,040 across the corporate data network 21 00:00:43,040 --> 00:00:44,510 or even directly from the Internet. 22 00:00:44,510 --> 00:00:46,720 And this is really great from a monitoring perspective. 23 00:00:46,720 --> 00:00:48,080 It makes it really easy for us. 24 00:00:48,080 --> 00:00:50,310 But this is also dangerous, right? 25 00:00:50,310 --> 00:00:51,640 Because when we have a connection 26 00:00:51,640 --> 00:00:53,080 to the corporate data network, 27 00:00:53,080 --> 00:00:55,230 that means someone can hack into your premise network. 28 00:00:55,230 --> 00:00:57,490 They can cross over into your data network. 29 00:00:57,490 --> 00:00:59,160 And if you connect directly to the Internet, 30 00:00:59,160 --> 00:01:01,910 that might give them a way in to that premise network. 31 00:01:01,910 --> 00:01:03,230 So, these are things you have to think about 32 00:01:03,230 --> 00:01:04,780 when you're dealing with security. 33 00:01:04,780 --> 00:01:05,690 Now, in addition to this, 34 00:01:05,690 --> 00:01:08,400 we also have building automation systems. 35 00:01:08,400 --> 00:01:10,260 Now, building automation systems, 36 00:01:10,260 --> 00:01:11,800 they have components and protocols 37 00:01:11,800 --> 00:01:14,010 that facilitate the centralized configuration 38 00:01:14,010 --> 00:01:16,070 and monitoring of your different mechanical 39 00:01:16,070 --> 00:01:19,550 and electrical systems within offices or data centers. 40 00:01:19,550 --> 00:01:21,610 Now, oftentimes, you're not going to be controlling 41 00:01:21,610 --> 00:01:23,460 the actual power generation, right? 42 00:01:23,460 --> 00:01:25,220 That will be ICS and SCADA. 43 00:01:25,220 --> 00:01:28,870 But you are going to have other ways to look at the information 44 00:01:28,870 --> 00:01:31,700 inside your building through these automation systems. 45 00:01:31,700 --> 00:01:33,460 For instance, at our offices, 46 00:01:33,460 --> 00:01:35,410 we have a battery back-up system. 47 00:01:35,410 --> 00:01:38,030 This is a whole building system so that if we lose power, 48 00:01:38,030 --> 00:01:39,670 we have that battery that can kick in 49 00:01:39,670 --> 00:01:42,250 and support us for about 24 hours. 50 00:01:42,250 --> 00:01:44,890 Now, we have the ability to log in to that battery remotely 51 00:01:44,890 --> 00:01:45,723 over the Internet 52 00:01:45,723 --> 00:01:48,020 so we can see exactly how much battery is left, 53 00:01:48,020 --> 00:01:50,650 how quickly our burn rate is, and things of that nature. 54 00:01:50,650 --> 00:01:52,770 If you're in a bigger building, you might have elevators 55 00:01:52,770 --> 00:01:53,603 and you want to be able to figure out 56 00:01:53,603 --> 00:01:55,600 where the elevator is at any given time. 57 00:01:55,600 --> 00:01:57,050 If you've watched any spy movie, 58 00:01:57,050 --> 00:01:59,470 I'm sure you've seen the idea of building automation systems 59 00:01:59,470 --> 00:02:00,383 where they turn on and off the AC, 60 00:02:00,383 --> 00:02:02,360 usually they turn on and off the elevators 61 00:02:02,360 --> 00:02:04,690 or turn on and off the lights to a particular floor. 62 00:02:04,690 --> 00:02:07,040 That's what a building automation system really is. 63 00:02:07,040 --> 00:02:08,040 Now, when you start dealing 64 00:02:08,040 --> 00:02:09,560 with all these building automation systems, 65 00:02:09,560 --> 00:02:10,820 they have lots of different parts 66 00:02:10,820 --> 00:02:13,000 that could bring up vulnerabilities to your network. 67 00:02:13,000 --> 00:02:14,570 So, again, I like to keep these 68 00:02:14,570 --> 00:02:16,600 as their own segmented network 69 00:02:16,600 --> 00:02:18,220 but when we start covering these vulnerabilities, 70 00:02:18,220 --> 00:02:20,732 we have things like the process and memory vulnerabilities 71 00:02:20,732 --> 00:02:22,680 inside the PLCs 72 00:02:22,680 --> 00:02:25,540 because these building automations are going to use PLCs. 73 00:02:25,540 --> 00:02:27,720 If you're going to control elevators and lighting 74 00:02:27,720 --> 00:02:30,340 and water and fire mains and power, 75 00:02:30,340 --> 00:02:33,320 all of those things do have PLCs that you can control 76 00:02:33,320 --> 00:02:34,870 within your building. 77 00:02:34,870 --> 00:02:36,890 Then, we have to think about how we're going to keep 78 00:02:36,890 --> 00:02:39,750 our credentials safe because oftentimes, 79 00:02:39,750 --> 00:02:42,270 these things have poor security management. 80 00:02:42,270 --> 00:02:43,970 A lot of times, people write their code 81 00:02:43,970 --> 00:02:45,920 with plain text credentials or keys 82 00:02:45,920 --> 00:02:47,840 inside the application code. 83 00:02:47,840 --> 00:02:50,390 That way, they'll say my password is password 84 00:02:50,390 --> 00:02:51,830 and they'll put it right in the code 85 00:02:51,830 --> 00:02:53,790 and that could be exploited by an attacker. 86 00:02:53,790 --> 00:02:55,240 Another thing I often see occur 87 00:02:55,240 --> 00:02:58,260 is code injections against the web user interface. 88 00:02:58,260 --> 00:03:00,050 A lot of these building automation systems, 89 00:03:00,050 --> 00:03:01,260 the way that they are monitored, 90 00:03:01,260 --> 00:03:02,370 is through a web interface, 91 00:03:02,370 --> 00:03:04,250 whether locally or over the Internet. 92 00:03:04,250 --> 00:03:06,030 So, if there is web interface presented, 93 00:03:06,030 --> 00:03:07,960 that means an attacker could access that 94 00:03:07,960 --> 00:03:09,230 and then do a code injection, 95 00:03:09,230 --> 00:03:12,270 doing something like an XML injection, an SQL injection, 96 00:03:12,270 --> 00:03:15,330 a cross site scripting injection, something like that. 97 00:03:15,330 --> 00:03:16,520 And so, you got to keep that in mind. 98 00:03:16,520 --> 00:03:18,280 This is an area that could allow 99 00:03:18,280 --> 00:03:19,940 for somebody to get into that network 100 00:03:19,940 --> 00:03:21,460 and then control your building. 101 00:03:21,460 --> 00:03:23,250 Now, one of the things we really have to worry about 102 00:03:23,250 --> 00:03:26,070 with these premise systems and building automation systems 103 00:03:26,070 --> 00:03:27,370 is that they can be used to create 104 00:03:27,370 --> 00:03:29,910 a denial of service condition in the real world. 105 00:03:29,910 --> 00:03:31,290 Now, what do I mean by that? 106 00:03:31,290 --> 00:03:32,570 Well, let's say I got a hold 107 00:03:32,570 --> 00:03:34,170 of your building automation system 108 00:03:34,170 --> 00:03:35,570 and I was able to do a code injection 109 00:03:35,570 --> 00:03:37,050 to take access over it. 110 00:03:37,050 --> 00:03:39,020 I could create a denial of service condition for you 111 00:03:39,020 --> 00:03:40,650 that could affect your entire building 112 00:03:40,650 --> 00:03:43,550 by turning off your HVAC, which is your air conditioner. 113 00:03:43,550 --> 00:03:44,760 And if you have a server farm 114 00:03:44,760 --> 00:03:46,300 and I take away your air conditioner, 115 00:03:46,300 --> 00:03:49,030 that can overheat the systems and cause them to shut down. 116 00:03:49,030 --> 00:03:51,060 Now, I have caused an electronic attack 117 00:03:51,060 --> 00:03:53,710 against your servers by doing a physical attack 118 00:03:53,710 --> 00:03:55,350 by taking away your cooling. 119 00:03:55,350 --> 00:03:57,300 These are the things you have to think about. 120 00:03:57,300 --> 00:03:58,960 Another reason to worry about these systems 121 00:03:58,960 --> 00:04:01,120 is often, they're not well-secured. 122 00:04:01,120 --> 00:04:03,680 If you think back to 2015, there was a big case 123 00:04:03,680 --> 00:04:05,260 of this in the news with Target. 124 00:04:05,260 --> 00:04:07,900 Target is a big retail chain in the United States. 125 00:04:07,900 --> 00:04:10,210 And they actually had one of their contractors 126 00:04:10,210 --> 00:04:12,160 who ran their HVAC systems, 127 00:04:12,160 --> 00:04:13,700 their systems had gotten hacked. 128 00:04:13,700 --> 00:04:15,810 And somebody went through their systems 129 00:04:15,810 --> 00:04:17,990 through the HVAC at the Target stores 130 00:04:17,990 --> 00:04:20,370 and then down into the point of sale systems, 131 00:04:20,370 --> 00:04:23,150 the cash registers, and started collecting credit card data. 132 00:04:23,150 --> 00:04:25,810 This was a huge breach and it was huge black eye 133 00:04:25,810 --> 00:04:27,200 for the corporation. 134 00:04:27,200 --> 00:04:29,330 So, remember, these building automation systems 135 00:04:29,330 --> 00:04:31,360 could be used as an intrusion vector 136 00:04:31,360 --> 00:04:32,900 as somebody wants to pivot from that 137 00:04:32,900 --> 00:04:35,710 into a more dangerous attack against your corporate network. 138 00:04:35,710 --> 00:04:38,030 So, you have to make sure the right protection's in place. 139 00:04:38,030 --> 00:04:40,210 Now, the final thing I want to talk about in this lesson 140 00:04:40,210 --> 00:04:41,550 is the idea of PACS, 141 00:04:41,550 --> 00:04:44,450 which is the Physical Access Control System. 142 00:04:44,450 --> 00:04:46,570 Now, the Physical Access Control System 143 00:04:46,570 --> 00:04:48,430 is all of the components and protocols 144 00:04:48,430 --> 00:04:50,420 that facilitate the centralized configuration 145 00:04:50,420 --> 00:04:52,150 and monitoring of security mechanisms 146 00:04:52,150 --> 00:04:54,640 within offices and data centers. 147 00:04:54,640 --> 00:04:57,080 So, when we start talking about all the security cameras 148 00:04:57,080 --> 00:04:59,300 and the access control to badge in and badge out 149 00:04:59,300 --> 00:05:00,210 of your building, 150 00:05:00,210 --> 00:05:03,500 that is all part of your Physical Access Control Systems. 151 00:05:03,500 --> 00:05:05,410 Now, PACS can either be implemented 152 00:05:05,410 --> 00:05:07,580 as part of your building automation system 153 00:05:07,580 --> 00:05:09,740 or as part of a separate system. 154 00:05:09,740 --> 00:05:10,870 Either way will work. 155 00:05:10,870 --> 00:05:13,120 It just depends on how your contractor sets it up 156 00:05:13,120 --> 00:05:15,350 or how your organization sets it up. 157 00:05:15,350 --> 00:05:17,220 Now, one word of warning here. 158 00:05:17,220 --> 00:05:19,180 PACS are often installed and maintained 159 00:05:19,180 --> 00:05:21,560 by a third-party external supplier 160 00:05:21,560 --> 00:05:24,900 and because of that, a lot of times, people omit that 161 00:05:24,900 --> 00:05:28,230 from their risk analysis or their vulnerability assessments. 162 00:05:28,230 --> 00:05:30,150 So, as you're starting to think about your networks 163 00:05:30,150 --> 00:05:32,500 and you think okay, I've got this Windows network here, 164 00:05:32,500 --> 00:05:33,940 I've got the server farm here, 165 00:05:33,940 --> 00:05:35,960 I might have this OT over here, 166 00:05:35,960 --> 00:05:37,750 they don't think about the building network itself 167 00:05:37,750 --> 00:05:40,260 because it's some third-party contract. 168 00:05:40,260 --> 00:05:43,450 So, that's okay if you're going to exclude it from your scope 169 00:05:43,450 --> 00:05:45,460 if you have that in writing that that is part 170 00:05:45,460 --> 00:05:47,070 of their responsibilities. 171 00:05:47,070 --> 00:05:49,210 And they will probably have some kind of requirement 172 00:05:49,210 --> 00:05:52,490 to give you every quarter, every six months, every year, 173 00:05:52,490 --> 00:05:54,300 some kind of a vulnerability statement 174 00:05:54,300 --> 00:05:56,610 of what the network looks like because again, 175 00:05:56,610 --> 00:05:58,210 you can outsource the task 176 00:05:58,210 --> 00:06:00,410 but you can't outsource the responsibility. 177 00:06:00,410 --> 00:06:03,470 If their network is tied to your network in any way 178 00:06:03,470 --> 00:06:05,140 and there's a vulnerability in their network, 179 00:06:05,140 --> 00:06:07,770 that means the attacker could get from them to you, 180 00:06:07,770 --> 00:06:08,970 just like they did with Target. 181 00:06:08,970 --> 00:06:10,123 So, keep that in mind.