Your 2016 radar should include IoT, cyber security and smart codecs
- By James Marcella
- May 01, 2016
If you’re like most security professionals, your daily inbox is crammed with
updates from industry associations, publications and online communities
summarizing the hot topics of the day. If you want to predict what will be
trending for 2016 just look back at the key issues that started bubbling up to
the top in the latter half of 2015.
Those are the ones that are picking up steam and will become significant factors
for security professionals in the coming year. Each one represents a major
advancement in edge-based electronic devices that deliver additional layers of security
on both the physical and logical sides of the spectrum.
PROTECTING THE INTERNET OF THINGS
The Internet of Things (IoT) has not faded into obscurity nor is it just a marketing
claim to promote the sale of another device on your network. It has become so
firmly established that it garnered official security requirements from the Department
of Homeland Security (DHS), Science and Technology Division. DHS lists
three prerequisites for managing any IoT device or program on their networks:
Detection: the ability to know what IoT devices and components are connected
to a given network or system.
Authentication: the ability to verify the provenance of IoT components and
prevent and detect spoofing.
Updating: IoT security programs must include the ability to securely maintain
and upgrade these components.
The combination of these three capabilities decreases the risk of security
breaches by identifying which devices are on your network, ensuring that those
devices have the proper logical credentials to reside on the network and confirming
that they can be upgraded to the latest software when new threats are introduced.
But what really makes security of IoT so challenging is its highly diverse and
widely distributed nature. The permutations and combinations of devices and networks
and the ways they can connect with IoT systems are virtually endless. Therefore,
it’s imperative that security professionals work closely with their IT counterparts
to examine each device on their network to assure its compliance with the
DHS definition of secure.
Nowadays almost anything connected to a network falls into the broad definition
of IoT. This contrasts sharply with past models of operation. In the past, different
systems were siloes of technology, but today it is not uncommon to combine
intrusion detection, access control, mass notification, video surveillance and other
electronic security devices on a single network. In the best case, these devices share
information with each other and drive new solutions that mitigate risk.
For instance, a camera embedded in a door station primarily used for entry
management could detect a person loitering outside your facility’s main entrance.
Before alerting security professionals, it could trigger an event that plays a prerecorded
message to an outdoor speaker instructing the people to move on. If they
don’t, then a security guard could be notified on a mobile device or even over their
VoIP phone system and have a discussion with the people outside.
In the worst case, each of these devices share information directly with a local PC
server, which acts as an intermediary but accomplishes the same solution. The main
difference between the two is the budget it takes to arrive at the same finish line.
HARDENING CYBER CONNECTIVITY
The security industry owes most of its innovation to the consumer electronics industry,
and IoT is certainly no exception. Today, I could purchase a networked
thermostat, doorbell, smoke detector, television, speaker, garage door opener and
even door locks that I can control from anywhere I have a signal on my smartphone.
Unfortunately, in many cases, so can hackers.
There are many instances where manufacturers sacrifice security in favor of
ease of use. When that happens, it’s buyer beware. While this compromise may be
acceptable in consumer markets, this lack of security at the network level is unacceptable
for security practitioners tasked with the protection of people and assets.
But security doesn’t rest solely on the shoulders of the practitioner. The responsibility
to secure a network, its devices and the services it supports also extends to
the entire vendor supply chain as well as the end user organization. That’s why
reputable manufacturers not only keep security at the forefront of product development,
but also provide education on best practices for the use of their products.
Each installation is different and not all need to be secured to the highest levels
possible. It’s noteworthy that many products come with default settings designed for ease of installation, but unfortunately also help
identify devices to potential hackers by broadcasting
their connection status over the network. Protocols
such as UPnP and Bonjour are examples of this and
should be turned off.
Compared with their consumer counterparts, professional
grade products will offer an advanced level
of protection using authentication methods and encryption.
Authentication should sound familiar. It is
the second building block for the DHS IoT definition
and is the heart of a secure installation. Many edgebased
products accomplish this through IEEE 802.1x
which provides port level security on network switches
using certificates that are assigned to specific network
devices. Without the valid certificate, the switch
disables the port and the device cannot communicate
across the network.
This approach also requires a Radius server to
manage the certificates which can either be a standalone
server or embedded in the switch. Authentication
mitigates the risk of unauthorized network access
if someone gains physical access to your network
such as hijacking the network cable from an outdoor
camera and plugging in a laptop.
Encryption is another advanced security measure
that should be incorporated in edge-based devices
particularly if your solution leverages public networks
such as the Internet. There are many installations
that require a decentralized recording of video
that needs to be reviewed centrally when an event
occurs. In many cases the infrastructure to deliver
this solution would be cost-prohibitive without using
public networks. For instance, the owner of several
small franchise restaurants could record events
at each property and view that live or recorded video
remotely from the comfort of home. There are many
instances of this happening today and very few leverage
encryption when doing so.
Savvy security professionals need to understand
that the landscape is rapidly changing with regards
to their organization’s cyber security posture. It is no
longer just the responsibility of the IT department.
As more electronic security counter measures move to
the network, security professionals need to vet a product
on its potential cyber vulnerability as well as the
device’s physical security value to the organization.
DEPLOYING SMARTER CODECS
Another edge device concern involves the resolution of
network cameras. As resolution continues to push ever
higher it directly increases the bandwidth and storage
needed to view or record it. With the introduction of
4K this past year, as well as the proliferation of even
higher resolution cameras, security professionals are
inundated with the mantra of more is better.
The bottom line of higher resolution from a surveillance
perspective is that wider angle lenses can
be used while maintaining the appropriate pixels on
target for detection, recognition and/or identification,
the operational requirements of a given scene.
That wider field of view provides increased situational
awareness and in, some cases, enables fewer cameras
to be installed. Unfortunately those benefits directly
translate into higher costs for bandwidth and storage
which have limited their use for some customers.
Advances in video compression continue to drive
down the bit rate of video with the latest being H.265,
which has gained limited acceptance in the security
industry. Ratified in 2013, H.265 boasts an impressive
50 percent saving in bitrate over its H.264 predecessor.
The limited adoption is not unique to the security industry
as it has yet to supplant H.264 in the consumer
market as well, despite the improvements.
The big challenge for adoption rests on legal issues,
not technical ones. HEVC Advance represents
a pool of 500 patent holders for H.265 and has developed
a licensing and royalty model which many companies
feel goes too far. The real issue relates to the
royalties for content revenue generated using H.265,
which was never an issue with H.264. This model has
led companies like Google and Cisco to develop their
own video compression techniques. As a result, the
water is getting even muddier and H.265 will probably
remain a niche solution in the security industry for at
least the next year.
Fortunately, several manufacturers have developed
enhancements to existing implementations of H.264.
Since they are using H.264 as the codecs foundation,
there is broad-based support in the VMS community,
which will generate some head-to-head competition
once H.265 cameras start hitting the market.
One such technique called Zipstream is a radically
more efficient implementation of H.264 that can reduce
bandwidth and storage requirements by an average
of 50 percent or more when compared to existing
H.264. Sounds familiar right? That is the same savings
figure that H.265 is touting. Axis Communications is
not the only company offering bandwidth savings by
optimizing H.264, but this particular iteration has a
unique approach that dynamically allocates regions
of interest inside a camera scene. In more traditional
solutions the user defines a static region of interest.
The problem with that approach is two-fold: the bad
guy is likely to move out of a static region of interest
and if you try to compensate for that fact by making
the region of interest too big, you miss out on the
KEEP AN EYE ON YOUR INBOX
There are certainly more items on the security professional’s
radar for 2016, such as cloud-based services, analytics,
as well as a host of new advances in camera technology.
In my opinion, however, IoT, cyber and smart
compression techniques will be the
ones having the greatest impact on
our industry in the coming year.
This article originally appeared in the May 2016 issue of Security Today.