Your Parking Computer System Is Most Likely Compromised, NOW!
When we think of a parking revenue control system (PRCS) we often think about the gates, pay-on-foot machines, labor and union issues, transaction amounts, credit card processing and more. However, when it comes to the PRCS network -- the servers and software + hardware infrastructure that carries all of the ones and zeros that make the tamper-resistant systems work -- we tend to underestimate how much we rely on it.
But the e-mail viruses that shut down corporate networks can shut down PRCS networks too. The truth is that a PRCS network is not just a network connecting parking garages together. It is, ultimately, a financial transaction network. A PRCS network carries credit cards, personally identifiable information, VINs, Social Security numbers and more. However, the security around it may be overlooked if we're not careful.
Indeed, network isolation is ever more important with the virus issues we've been seeing so much media coverage of. Worms like SOBIG and MSBLAST shut down entire networks seemingly instantaneously. Well, if the PRCS network isn't isolated, then that one network suffering the wrath of such infections can shut down your customer's ability to enter or exit the garage and, even worse, could affect your ability to cash in on transactions.
Obviously, we must pay new heed to the ever-more-important topic of network infrastructure, software architecture and security across PRCS systems. Here are some important points to consider when going over that "upgrade proposal" so you can have a secure parking revenue control system:
A network carrying financial transaction data must be isolated from all other networks. Under no circumstances should a PC in the accounting department be able to directly access all servers on your PRCS network. Servers, lane devices, routers, switches, monitoring systems, etc., should all be on an isolated network, and only those devices on that network should be able to talk to each other (and even that needs to be controlled).
Just because your network is isolated doesn't mean your data transactions are protected. Appropriate secure transmission protocols such as SSL, TLS, IP-SEC, SSH or SFTP should be put in place on all data transmissions. Case in point: An employee with a grudge could sit on a network and "sniff" the packets as they go across the wire. If the data aren't encrypted, he or she can just save that data to a file -- passwords, credit card numbers and more.
Client Logins and Appropriate Access Lists
Just because you trust your people doesn't mean you should forgo having appropriate access control lists and strong IT policies in place. IT managers know this better than anyone. Always run with "least privilege" and make sure you finely control who has access to what resources on the PRCS network. Make sure that no personal workstations are allowed on the network. Also, make sure you control who has access to the Internet.
Software Security Architecture Overviews
All too often I have seen issues with the security infrastructure of an application, but nobody asks any questions as to whether threats exist. Remember, it's OK to ask questions. The vendor selling you a product that will handle all of these financial transactions should be able to tell you how resilient its system is against potential attacks.
Think your network is secure? Think it can handle an attack? Test it! Test loads on your PRCS network. If you have a Web-accessible application, test how much traffic it can take, and whether that eats up your PRCS servers' availability. Check to see if new security vulnerabilities affect the rest of your network if a bad packet comes from a Web application. It is better that you know what your network is capable of so you can proactively monitor performance and respond to well-known and potential security issues before a hacker figures it out for you.
Proactive Security Monitoring Tools and Log Analysis
You can never have too much information available to you. Granted, it doesn't have to be on-screen all at once, but it should be there. Make friends with your logging applications. Make sure you have security audits monitoring on your network events. Furthermore, make sure you and your team can be notified of critical events in every way possible. E-mail and pager and/or text message should be used.
Web-Accessible Application Security Assessments
Some vendors provide online access to data in your PRCS network. These solutions make parking easier and friendlier for your customers. However, opening up a financial transaction network, which your PRCS network is, to the Internet can be incredibly dangerous. Make sure that, before implementing such a solution, you get a clear understanding from the vendor how its software has been tested for security vulnerabilities. Also, find out what data the vendor is going to access from the PRCS network and how it is going to access the network without compromising security.
Security Training for IT Personnel and 'Outside Sanity Checks'
Training your team -- teaching what to look for on the network, in access logs, in suspicious activity to prevent hacks, or to provide preventive maintenance against malicious viruses -- is crucial to a smooth-running operation. Remember: It's better to be mostly prepared than not prepared at all.
Auri Rahimzadeh is president and a senior engineer at T.A.G., an Indiana-based IT consulting and development firm (www.WeAreIT.biz). He can be
e-mailed at firstname.lastname@example.org.
Article Abstract from May, 2004