Converged threat is when the threat to our organisational security is physical and cyber, combined in a perfect storm. This is perhaps best characterised by physical systems, such as video surveillance and building management systems, that are Internet Protocol (IP) based. The threat offered is both to the physical wellbeing and security of the system, its users and its data (think, surveillance images), as well as to the network on which it sits, its connected assets; be they information or physical and inevitably, the health and safety of all concerned. Yes, it is a big topic and we are only going to scratch the surface here.
Why is this important? Cyber attacks facilitated by poorly configured domestic devices is one thing, (yes, I am looking at you people who bought internet enabled kettles for reasons best known to yourselves) but when it is our own security infrastructure that is turned against the rest of us then that is really worrying. What happens when vast numbers of these devices are all harnessed by a malicious actor? There can be no better recent demonstration of this than the Mirai botnet, which devastated several online platforms such as Twitter, Spotify and PayPal by making them inaccessible for users. This was done by finding unsecured items, such as video surveillance systems still using factory default Admin and Password login credential, for example, and then harnessing them into a zombie army under the control of an attacker.
Interestingly, if you choose to buy a web-enabled system, you need to appreciate that the manufacturers appear to think that you are the one responsible for security, not them. Your failure to secure it, by not changing the username and password on the administrator web portal, might mean it is vulnerable and could be relatively easy to exploit in this way. On the face of it, you might be forgiven for thinking that this is a pretty simple thing to fix, after all, all security managers need to do is change the username and password and we are sitting pretty right? Sadly not.
Read the full Professional Security Magazine article here: About the author: Mike Gillespie is MD of Advent IM, an information security consultancy.