Whether you are a business owner renting commercial real estate or are directly involved in renting that real estate yourself, information security is paramount. It's easy to focus only on computers, networks and smartphones, but the threat landscape extends beyond that.
A mistake many business owners make is to assume that if their digital devices are secured, they have no information security concerns. Further examination requires a better definition of what exactly a "digital device" is. Last year's retail breaches in Target, Home Depot and other stores were largely centered around point-of-sale systems. While these systems are indeed computers, they do not fit the traditional mold of desktop or laptop workstations.
The fact is, everything with a microprocessor is potentially exploitable. I bring this up not to foster paranoia, but to encourage business owners to think creatively about exactly how they can be exploited. For commercial real estate, this often includes systems otherwise considered part of a business' physical security.
Consider the Onity lock exploit of 2012. A technique developed at BlackHat, a major information security conference, allowed a user to use a simple microcontroller to bypass a particular model of keycard lock often found on hotel room doors, demonstrating a compromise in millions of locks across the country. That exploit was later leveraged by burglars for many months after, even after the lock company had "fixed" the firmware within the locks.
Access gates are another example. Using some simple hardware and programming knowledge, a person could use a spectrum analyzer or software-defined radio to capture the unlock signal from a passing car and then re-create that with an easily built 433MHz transmitter. This could allow an attacker access to a warehouse, a gated community, an office complex - the possibilities are endless.
The solution to potential compromises like this is not to give in to fear and remove all digital access to physical locations. Instead, commercial real estate owners need to think like attackers.
Identify every single device with a chip in a commercial property - computers, smartphones, security camera systems, digital door locks, etc. - and start doing research on every model. While computers receive regular security updates, it is unlikely that a digital door lock is connected to the Internet and a regular update server, so it may still be running old, exploitable firmware. By simply searching Google for particular models of security hardware, one can find potentially exploitable hardware.
If a documented vulnerability is found online, it is critical to address the issue immediately. Realize that potential attackers are avid followers of this kind of news. The only difficulty in hacking is found in the initial discovery of a vulnerability. Once an exploit has been publicly documented, it is trivial for someone with average technical ability to simply follow a set of instructions and re-create it. Thus, the potential threat doesn't come from some rare and highly intelligent super hacker but from someone who decided to break into your building, noted the model of lock on your door and looked on Google for a way past it.
So what happens if your assessment identifies hardware that might be vulnerable?
The obvious answer is to simply replace it, and this is often a good choice. However, take care that the replacement doesn't have any documented vulnerabilities of its own. Again, do some simple research online.
Another easy and more cost-effective solution is to check the manufacturer's official documentation on the vulnerability and determine if a firmware patch is available. Often this simply requires downloading a small file from the company's website, placing it onto a USB drive and inserting that in the device itself. The exact process is always explained in detail on the company's website.
However, if no firmware update is available for a potentially exploited device - a common occurrence for security hardware made in bulk overseas - the only solution is replacement.
For many reasons, it is also essential to ensure that the various tenants in a commercial property all have separate networks. While it might seem like a nice gesture for a commercial property manager to offer WiFi or pre-existing hard-wired network connections to tenants, this comes with its own set of security risks. As a tenant, you have no real guarantee that the building network you're using isn't misconfigured to allow access to your shared data from other businesses under the same roof, or even from guests using the lobby WiFi. Furthermore, from the perspective of the property manager, it's nightmarish to have the security equipment on the same network as all of the tenants - this exponentially increases the number of potential attack points. Tenants should have no problem with having their own networks installed or even setting up their own wireless routers in their office spaces as opposed to using a central wiring closet, as this allows them full control over their own networks with a minimal number of attack points.
A property manger could set up some basic security rules and regulations for tenants, such as requiring WPA2 with WPS disabled on all WiFi networks in the building, and then run a simple wireless scan to ensure each network meets those criteria. This allows the property manager to enforce a minimum standard of security at the property, while allowing tenants to maintain maximum autonomy over their own networks.
Security assessments are not complicated - even informal ones performed on your own equipment. In all its forms, security can be broken down into two simple tasks: thinking critically and staying current. These principles apply whether you're a small business renting an office or whether you own and operate the office building yourself.
Written in collaboration with information security expert Dylan Evans, Reveal's vice president of operations.