Security Assessment
Northridge Plaza Properties
- Engagement period
- March 15, 2026 — April 5, 2026
- Prepared by
- IoTGuardian
- Scope
- 3 locations · 47 devices · 12 employees
- Next scheduled review
- July 15, 2026
Executive summary
Northridge Plaza Properties is a three-location property management firm operating commercial retail plazas in the metro area. The environment under review comprises forty-seven networked devices and twelve employees across the head office and two satellite leasing offices. The engagement covered the period of March 15, 2026 through April 5, 2026. Work included on-site walk-downs at all three sites, remote configuration review, and a short series of interviews with the office manager, the head of leasing, and the two vendors who service the camera and door-access systems.
Three themes account for the majority of risk in this environment. First, legacy camera firmware on roughly two-thirds of the surveillance cameras exposes administrative interfaces that were never intended to be reachable from the internet. Second, the network is flat — there is no separation between the office workstations, the point-of-sale terminals at the leasing desks, and the IoT estate. Third, vendor and administrator credentials are shared and have not been rotated in at least eighteen months.
Overall posture is rated Moderate. We identified 2 critical findings, 7 high findings, 14 medium findings, and 22 low findings. Two of the critical findings are remediable inside thirty days with vendor coordination; the remainder of the high findings are remediable inside ninety days with modest internal effort. None of the findings rise to the level of indicating an active compromise.
Top 10 risks
| # | Finding | Business impact | Technical impact | Effort | Priority |
|---|---|---|---|---|---|
| 1 | Camera firmware exposes admin interface to internet | Theft, extortion via leaked footage | Remote unauthenticated control of cameras | M | Critical |
| 2 | Shared admin credentials on POS systems | Payment-data theft, PCI exposure | Lateral movement to back-office systems | S | Critical |
| 3 | No network segmentation between IoT and office LAN | One compromised camera = full network access | Trust boundary missing | L | High |
| 4 | Vendor remote-access account has standing privileges | Vendor breach reaches client environment | No just-in-time access controls | M | High |
| 5 | Door access controller runs unsupported firmware | Physical access bypass | Vendor no longer issues patches | M | High |
| 6 | No multi-factor on cloud property-management portal | Account takeover, fraudulent lease records | Password reuse risk | S | High |
| 7 | Guest Wi-Fi shares VLAN with office Wi-Fi | Tenant device sees office devices | VLAN tags not applied | S | High |
| 8 | POS terminal OS one major version behind | Vendor support gap | Missing browser patches | M | High |
| 9 | Office printer admin interface uses default credentials | Print job interception | Lateral foothold | S | High |
| 10 | Backup files stored on same NAS as primary data | Ransomware destroys backups | No 3-2-1 separation | M | Medium |
What we fixed during the engagement
A handful of changes were small enough that we executed them in the course of the assessment with the office manager’s approval. These are listed for the record so ownership has a complete picture of the work performed.
- Enabled WPA3 on the guest Wi-Fi network across all three locations.
- Pushed firmware updates to eight of the twelve outdated cameras; the remaining four require a vendor truck-roll and are scheduled.
- Enrolled all four administrator accounts on the property-management portal in multi-factor authentication.
- Documented current vendor-access procedures in a one-page runbook now filed in the office manager’s binder.
30 / 60 / 90 day plan
30 days
- Complete remaining camera firmware updates on a scheduled vendor truck-roll.
- Rotate shared vendor credentials and convert to per-technician accounts.
- Deploy network segmentation: separate VLANs for cameras, POS, and guest.
60 days
- Implement quarterly access reviews covering every administrator account.
- Document an incident-response runbook keyed to ransomware, stolen POS, and compromised camera scenarios.
90 days
- Engage an external party for a third-party penetration test of the post-segmentation network.
- Run a one-hour security-awareness session for all twelve staff.
- Re-baseline inventory and re-test remediated findings.
Closing
The Northridge environment is in better shape than the average property firm of this size. The fundamentals — patching, segmentation, credential hygiene — are achievable inside the quarter. The next scheduled assessment is set for July 15, 2026. We will reach out two weeks in advance to confirm scope and coordinate with the vendors involved.