Visitor Management Systems
Walking through the lobby of an office building typically entails greeting the security guard, presenting your identification, and waiting for further instructions on how to access the premises. However, as technology continues to modernize it also changes the way we work and communicate. Computers are quickly replacing the familiar faces of security desk staff and our digital identities are quickly defining our access.
Whereas we used to say “who can I talk to” when encountering an access issue, we now talk to machines. Among other functions, these systems can check in guests, control their access in and around the facility, and send security alerts/updates to security personnel as necessary.
The use of visitor management systems has gained a lot of popularity in recent years. Computer databases are more accessible through technologies like cloud and the costs of networking has declines. In fact, sales are predicted to surpass $1.3 billion by the year 2025. These kiosk-like computer screens were designed to strengthen security measures by authenticating visitors and issuing badges for them through an automated process. But unlike your regular “sign-in sheet” that permits you to see who’s checked in earlier, the visitor management system keeps corporate information a little more private.
Like most devices that are connected to the internet, visitor management systems have vulnerabilities that can be easily exploited. After studying the 5 most popular systems – Lobby Track Desktop, Threshold Security, EasyLobby Solo, Envoy Passport, The Receptionist – IBM has highlighted some of their security issues. IBM found that hackers can easily gain access to contact information, visitor logs, and sensitive company data; all of which can be used against the victims.
One of the biggest vulnerabilities that IBM identified is caused by poor cyber hygiene. What do we mean by that? Well, several applications associated with the management system used default administrative credentials that were not changed. As a result, hackers can complete access to, and control of, visitor databases. Creating strong and challenging passwords is a fundamental step towards practicing good cyber hygiene and securing an organization’s cyber presence. Providing this advantage to seasoned cybercriminals, who have mastered penetrating even the toughest security passcodes, makes access simple.
The Attack Profile
Once hackers gain control of the visitor management system, the potential for damage is endless. They can choose to exfiltrate data, gain network access, or plan a physical attack. Gaining a foothold of the network will allow criminals access to credentialing systems to produce badges. This is a direct path to unlocking doors without creating alarms in systems managing physical access across organizations. From there, stealing other valuable physical assets is a breeze.
A hacker can now blend in as no one is paying attention to someone who has a valid ID card. The lack of forced entry undermines a security practice that looks to identify forced intrusion. In addition, exfiltration of data is easier as it can be picked up off desks and walked out the front doors of the facility. Once extracted, the information can be sold to other criminals or companies that will find value in the data. Worse, the credentialing access can also be sold, and the cycle could continue for a while before anyone knows the intrusion is occurring.
This is just one more example of how cyber – physical crossover is occurring in our world and highlights the need for better risk management across all entities. The risk manager and the chief information officer must be in synch as to how access will be cross checked. Hackers are getting smarter about doing business. Security planning from a holistic perspective is paramount to corporate risk management. Suspending disbelief about the intelligence of hackers will allow better protection for all corporate stakeholders.
Tying Up Loose Ends
Since its findings, IBM has informed the 5 companies of the risks associated with their products. All were advised to implement full-disk encryption that is backed by a hardware security module because any system accessible to the public inevitably faces the dangers of hacking. After all, resiliency starts with preparedness. Visitor management systems are used to simplify procedural business routines, however that does not mean they should use simple credentials. Password integrity is the basis for any security system and should not be taken lightly. Default passwords must be changed immediately, and administrative privileges given to only a select few. Ultimately, limiting system access will decrease the likeliness of a cyber-attack.
Visitor management systems are valuable and even have ability to improve business functionality. However, improved functionality must never come at the expense of security.