Information security and asset protection go hand in hand for a business that deals with cash, credit and computers. In the business world the model is shifting to “just in time” logistics and to be successful in that arena information technology is essential.
At the same time, physical security for the building and the employees is also essential. Unfortunately, an overzealous public affairs representative or writer for a product review can negate the best efforts of asset protection and put the company at risk.
Security Capabilities Disclosure is Information Technology Vulnerability
Information Technology (IT) professionals profess that disclosure of password configuration to access a computer system, the type of security or Operating System (OS) being used can provide critical information to those who desire to compromise a system.
Commonly referred to as hackers, the business of penetrating a system involves much more than just computers. Gaining information about business and security systems is often the role of a social engineer. The social engineer finds ways to gain the trust of critical employees to gain enough information. While the tidbits seem little enough alone, when put together a picture emerges that provides a detailed picture and enough information to enable a hacker to gain access.
Commercials about identity theft and bank notices about phishing scams serve to alert consumers and business professionals alike of the dangers of providing too much information to possible criminals. At the same time, the public affairs professional, often with limited IT security training, attempts to promote the company and its accomplishments in many different venues.
Additionally, the manufacturer also attempts to promote their products and detailing specific users can be seen as a way to gain more business from the customer’s competitors and other businesses. It is these types of public disclosures that can damage a company in ways that were unintended and that are preventable.
The Panera Bread Security System Case Study Example
In December of 2018, Security Management published a case study on Panera Bread and how the company saved money by shifting to IP technology for its alarm system. While Panera Bread is not a high risk threat target, the case study provides examples of what a company should avoid. To its credit, this article did disclose that every Panera Bread property is alarmed which could help to reduce the incidence of break-ins and armed robbery. After that, the security violations escalate rapidly into unnecessary disclosure of security information.
The security violations include disclosure that all Panera Bread alarm systems are monitored at a remote site in Broomall, PA. While shifting to IP technology prevents a physical attack from cutting telephone lines at each store site, it does little to prevent a physical attack at the monitoring site in order to conduct a coordinated physical attack a numerous store sites. Not likely for Panera Bread, but again an example of what not to allow in terms of disclosure.
Another violation is identifying that each store utilizes a Honeywell 784i IP Communicator in conjunction with a Honeywell Vista 20P alarm control panel. This type of disclosure allows a potential attacker to acquire the identical equipment and determine vulnerabilities at their leisure.
The errors in disclosure also include that the system uses a polling signal to determine if a line has been cut and does not give consideration that with this information it enables the would be attacker to introduce a duplicate polling signal or an intermediate device that can duplicate the Honeywell equipment such as the device that was used to determine the weakness in the Honeywell components in the first place.
Excessive Self Disclosure Makes Social Engineering Easy
As stated earlier, Panera Bread is unlikely to find itself the victim of a coordinated physical attack but the case study provides examples of what not to disclose. Before releasing information that details any characteristics of a security system or the computer operating system of a business organization it should first be vetted by a security professional who has a good knowledge of hacking capability and social engineering techniques.
As any multidisciplinary security expert knows, information security begins with physical security and both are necessary. A company or any other organization or person should never disclose the security measures in place to anyone except those who have a need to know.
