Advisory Banner

ADVISORY

ADVISORY NEWSLETTERS

Five Reasons Your Building Isnít as Secure as You Think

Building technology and security are often seen as an afterthought to building operations. Frequently, assumptions are made that everything is secure from todayís cybersecurity threats, or the risk is low because buildings arenít e-commerce platforms or other obvious targets. But are you really secure?

Many buildings have internal systems that were built in a simpler time, often with security as an afterthought Ė think default passwords, unpatched control systems, and operating systems that are no longer maintained or patched. In a world where cybersecurity is a daily headline, complacency for IT operations in commercial buildings is truly a false economy. While e-commerce and data centers may get the bulk of the attention from hackers, targeting building systems can be easy prey for the bad guys out there.

We have spent considerable energy analyzing and documenting the inner workings of building systems, and Ė not surprisingly Ė found many weaknesses that could be exploited by hackers, compromising your systems or tenants, and creating unwanted reputational risk. The following Top Five list is comprised of actual findings encountered during our efforts to secure building systems from cyber attacks.

(1) The Unpatched Digital Video Recorder (DVR)
Building surveillance systems are incredibly common Ė the technology is inexpensive enough that even the smallest properties have installed cameras and other monitoring devices. The vendor that is responsible for installation is often not concerned with the security implications of the digital video recorder (DVR) or digital video cameras that are network accessible. We consistently see many DVRs sitting on the same network as other building systems. To make matters worse, recent DVRs now have Internet-enabled features. For the vendor to enable these features, they typically open one or more inbound firewall ports so the DVR is easily accessible from anywhere. This is commonly done so the building engineer can remotely monitor their cameras. While having remote access to the cameras is incredibly convenient, it is also a security threat. These DVRs are rarely patched, and outdated firmware versions can become easily exploited, especially when internet accessible.

(2) We Donít Need No Stinking Firewall
Do your properties have modern firewalls with up-to-date patches and monitoring? Consider yourself in the minority if you do. There are many properties that simply have an old consumer router that hasnít been patched in years, or possibly worse, just the box furnished by the internet provider. Those boxes do a fine job providing Internet connectivity, but provide zero control over traffic and lack basic or advanced monitoring capabilities. They donít include things like content filtering, advanced malware protection, and intrusion detection and prevention (IDS/IPS). To add insult to injury, these providers by default openly advertise wireless access points that the public can attach to. Do you really want the public on your WiFi sucking up bandwidth and unmonitored for abuse? And if the cable company isnít trying to give away your WiFi, you can bet that someone inside has tried, which leads us to:

(3) Free WiFi for Everyone!
Wireless is a great advance which has transformed how we work over the last 20 years. But this convenience has created a completely new security challenge. Remember that engineer that briefly worked at your building last year? Well, he installed a $20 access point on your network so he could get internet while in the cafeteria. And now there are 50 people on your building network and you donít even know it. You would think something like this isnít very common, but with vendors and engineers coming and going over the years, the possibility is very real. We find these wireless access points hidden everywhere like cockroaches.

(4) Misbehaving Snack Machine
In the old days, a snack machine sat in a break room eating quarters and giving your tenants a quick sugar fix. No one carries quarters any longer, and your snack machine is now on the internet. Unfortunately, we have seen your snack machine Ė and it has malware on it. Worse, itís on your building network next to your unpatched energy management system from 2005. Better contact that vendor (who doesnít specialize in security either), because the bad guys are swiping credit card numbers from your tenants, and youíre about to have a PR nightmare on your hands.

(5) The Public PC
You hope that you have hired vendors that are savvy about security. But the guy installing your access control or DVR system is not necessarily a networking guru/security expert. Recently we found a PC that the vendor decided needed to be completely on the Internet with its own public IP address (no firewall). We donít know if the malware on this PC came directly from the internet, from the engineer browsing the web, or simple email malware. There are so many ways (or threat vectors) this PC could have been compromised that it didnít stand a chance. And to save money, this one PC had energy management, access control, and general office work all happening on its infected self. If that malware had remote control capability, hackers could have easily caused building environment issues, locked out the scan cards, and stolen the access control list of everyone with a badge. If that had happened, cleaning up the mess could be far more expensive than having a secure architecture in the first place.

Itís Not Too Late
We hope your corporate environment doesnít have these issues. These problems are, unfortunately, all too typical in the commercial building sector. But you can get ahead of your cybersecurity threats with some planning and detective work. Your best bet is to schedule a comprehensive walkthrough of your building Ė identifying your vulnerabilities is the first step in building a plan of attack to close the holes in your building security. Once you have your plan, at least you will know if you are vulnerable to the next Wannacry or Petya attack.

Garrett Suhm, Chief Security Officer, 5Q Partners
Garrett Suhm is Chief Security Officer for 5Q Partners responsible for developing and executing Cybersecurity programs for their clients. He has successfully led technology teams large and small for over 28 years. Based in Atlanta and Dallas, 5Q Partners provides a full spectrum of IT Leadership, Operational and Professional Services to financial stakeholders in the commercial real estate industry.

This Week’s Sponsor

Leveraging decades of industry experience, 5Q Partners offers a full spectrum of commercial real estate technology solutions, including - cybersecurity consulting, CIO level leadership, applications integration, private cloud management, help desk support and onsite IT operations - managing as much, or as little, of your company's technology projects or operations as needed. Visit www.5qpartners.com.

Realcomm News



UPCOMING REALCOMM WEBINARS

Commercial Real Estate Information Management - Best Practice Showcase - 5/10/2018

Years ago, the choices were much simpler. Property Management, Accounting and Email were all you needed to run a Commercial Real Estate organization. Fast forward to today and the complexity of the industryís information management requirements have grown exponentially. Single stack, integrated best-of-breed, and open ecosystems are all options under consideration. Databases, warehouses and now lakes, as well as new technologies such as AI, Machine Learning and Blockchain all add to the growing complexity of real estate information management strategy. Additionally, there are thousands of new companies that want to be part of the solution. Join the debate as best practices are uncovered.

headshot for Jim Young
Jim Young Realcomm
Jim Young Co-Founder & CEO Founder of Realcomm Conference Group, an education organization that produces Realcomm, IBcon and CoRE Tech, the world's leading conferences on techno
headshot for Jim Young
Jim Young
Co-Founder & CEO
Realcomm
LinkedIn

Founder of Realcomm Conference Group, an education organization that produces Realcomm, IBcon and CoRE Tech, the world's leading conferences on technology, automated business solutions, intelligent buildings and energy efficiency for the commercial and corporate real estate industry. As CEO, Jim interacts with some of the largest companies globally pertaining to some of the most advanced and progressive next generation real estate projects under development.

headshot for Chuck Niswonger
Chuck Niswonger NiceNets Consulting
Chuck Niswonger President
headshot for Chuck Niswonger
Chuck Niswonger
President
NiceNets Consulting

headshot for Sam Wong
Sam Wong QuadReal Property Group
Sam Wong Head of Analytics and Data Science Sam Wong is Head of Analytics and Data Science at QuadReal. He has over 15 years of experience in Analytics and has worked within numerous industries
headshot for Sam Wong
Sam Wong
Head of Analytics and Data Science
QuadReal Property Group

Sam Wong is Head of Analytics and Data Science at QuadReal. He has over 15 years of experience in Analytics and has worked within numerous industries with a wide range in technologies. Sam is a featured speaker on Data Science and Analytics, most recently he spoke at the 2018 Gartner Data and Analytics Summit and at IBM THINK 2018.

headshot for Chong Huan
Chong Huan THE INLAND REAL ESTATE GROUP
Chong Huan EVP & Chief Information Officer Chong P. Huan is Executive Vice President and Chief Information Officer at Inland Real Estate Group. Chong has over 22 years experience and a Proven t
headshot for Chong Huan
Chong Huan
EVP & Chief Information Officer
THE INLAND REAL ESTATE GROUP

Chong P. Huan is Executive Vice President and Chief Information Officer at Inland Real Estate Group. Chong has over 22 years experience and a Proven track record in aligning business with vision and IT strategies to achieve efficient and cost-effective IT organizations. Diverse expertise in financial products and services, order and portfolio management, risk management, securities trading, processing, research and operations with IT acumen to achieve growth and enhance shareholder value.

headshot for Brian Zrimsek
Brian Zrimsek MRI Software
Brian Zrimsek Industry Principal Brian Zrimsek is Industry Principal at MRI Software. Brian brings 25 years of large scale enterprise software experience to MRI, most recently as an I
headshot for Brian Zrimsek
Brian Zrimsek
Industry Principal
MRI Software

Brian Zrimsek is Industry Principal at MRI Software. Brian brings 25 years of large scale enterprise software experience to MRI, most recently as an IT Vice President at the Irvine Company. With over a decade of experience in real estate technology he has become a well-known subject matter expert, industry panelist, and trusted advisor, especially within the multifamily real estate market.

headshot for Abhinav Somani
Abhinav Somani LEVERTON
Abhinav Somani Chief Revenue Officer Abhinav (Abe) is an experienced investment, financial, technology, business development and operations strategist. He is currently the Chief Revenue O
headshot for Abhinav Somani
Abhinav Somani
Chief Revenue Officer
LEVERTON

Abhinav (Abe) is an experienced investment, financial, technology, business development and operations strategist. He is currently the Chief Revenue Officer for LEVERTON. Abe has worked with many law firms and institutions over the years and has a deep understanding of the real estate technology / CREtech / PropTech space. With LEVERTON, Abe is revolutionizing how corporations use artificial intelligence based machine and deep learning algorithms for data extraction.

headshot for Alex Stanton
Alex Stanton Yardi
Alex Stanton Regional Director, Commercial Sales Alex Stanton has over 20 years working with in the real estate application space. Currently as VP of Solution Consulting for Yardi Systems, he leads t
headshot for Alex Stanton
Alex Stanton
Regional Director, Commercial Sales
Yardi

Alex Stanton has over 20 years working with in the real estate application space. Currently as VP of Solution Consulting for Yardi Systems, he leads the solution presales team, who work with customers and prospects to explore how to address business needs. Alexís recent areas of focus has been to work with clients on the real estate specific applications of cloud, mobile, 'big data' and energy.

headshot for Jeff Thompson
Jeff Thompson AwareManager
Jeff Thompson Co-Founder/CEO Jeff Thompson is co-founder and CEO of AwareManager. He leads the company's commercial and corporate real estate clientsí most complex projects. By co
headshot for Jeff Thompson
Jeff Thompson
Co-Founder/CEO
AwareManager

Jeff Thompson is co-founder and CEO of AwareManager. He leads the company's commercial and corporate real estate clientsí most complex projects. By combining his industry and IT expertise, Jeff helps organizations get data models set up correctly from the very start and helps them overcome major hurdles to user adoption, data-driven decision-making and stakeholder engagement.