The Risk Profile

The Risk Profile

Does your surveillance system fit the proper cyber profile?

As surveillance system technologies advance, so do the technologies employed by hackers. Increasingly sophisticated cyber criminals, whether working for criminal enterprises or for foreign governments, are developing not just better, but entirely different, ways to enter and manipulate or undercut the protection of surveillance systems.

What are some of these emerging threats and how can you protect against them?

New Kinds of Threats

Extortion hacks break into sensitive company or customer data and threaten to release it unless the victim pays a ransom. This increasingly popular threat is different than merely encrypting or locking access to the data until a ransom is paid.

Last year there were two known such cases of extortion, the first was an attack on the site. The resulting data dump cost the CEO his job, and it exposed millions of would-be marital cheaters. A second case involved the hacking of InvestBank in the United Arab Emirates and the exposure of customer account information.

Data sabotage will, in all likelihood, be more difficult to detect than simple theft. Since very slight data alterations could result in enormous changes, hackers to the financial and stock-trading systems could create havoc to—and take advantage of—the manipulated rise and fall of stock prices.

A potentially devastating type of data sabotage could result from the insertion of or alteration of code to a country’s weapon systems to change how they operate.

Another threat will come about as the Internet of Things (IoT) spreads to many appliances and other devices. How will anyone be sure their toaster isn’t part of a menacing bot army?

How can we ensure that our connected car won’t be susceptible to hacking? How about life-saving medical devices? Or sophisticated hackers who install back doors to enable access a system whenever the hackers want?

It’s become clear that the likelihood of cyber attacks isn’t a question of “if,” but rather a question of “when.” Now is the time to examine your own surveillance system to identify the inherent weaknesses and cyber vulnerabilities within it, and then develop a strategy to take action and mitigate your risk to exposure and loss.

The Challenges of Advanced Technology

Surveillance VMS make up one of the key elements of today’s security systems, whether monitoring a small private company or a sprawling enterprise. Though the ability to monitor and control locations has never been more important, many systems are migrating from analog to an IP-based or cloud-managed system for the promise of better image resolution, remote access and monitoring, and accompanying analytic software packages.

Unfortunately, better technology may also represent a greater exposure to cyber attacks, as such systems can offer a number of easily accessible entry points for hackers that could compromise entire systems. Just last year there were several notable cyber attacks on both government and private organizations.

  • The Office of Personnel Management was hacked and the addresses, health and financial information of 19.7 million people who had undergone background checks was stolen;
  • The well-publicized breach of the Ashley Madison site last summer resulted in the theft of personal information and credit card information on more than 11 million users;
  • Last fall, it was learned that healthcare insurance company Anthem had been hacked by the Chinese, who were seeking to learn how medical coverage in the United States is managed.

3 Questions to Ask Yourself

In order to ensure that your organization’s security is up to today’s cyber warfare challenges, ask yourself these three questions.

Is cyber defense a priority? As physical security systems continue to merge with the world of IP, it is helpful to start by declaring that cybersecurity is truly a priority for the organization. Cyber attacks continue to grow in both range and severity, and from all accounts it appears they will continue to do so. In today’s world, to not declare that cyber defense is a priority is, in effect, inviting attack. And sooner or later, it will come.

Has my installer or integrator “hardened” my system? To harden a system against intrusion means to heighten its security by reducing the number of potential breach points that could be exploited by hackers. Some installers and integrators are cutting prices in order to remain “competitive,” but if they don’t reduce the number of potential breach points, they are doing you no favors.

Today’s systems are increasingly sophisticated and require a high level of IT experience and knowledge in order to implement them effectively. Also, make sure your system manufacturer didn’t cut any corners by failing to run a full range of testing to determine all software and hardware vulnerabilities of their products.

Are my users a weak link in my security chain? Your own users can become enablers to cyber hacking through the use of weak or default passwords, or through requesting unnecessary remote access privileges to the network. Rest assured that hackers will find the weak links in your security chain, so it’s important to demand that all users accept cyber security as the priority that it is.

6 Steps to Developing a Strategy to Mitigate Risk

Everyone in both government and industry agrees that cyber threats are one of the nation’s gravest threats. Mitigating those threats has attracted both media attention and budget dollars to the tune of $90 billion or more. Yet the threat continues, not just for small companies, but also for Sony, the State Department, and healthcare companies like CareFirst. The truth is that there is no silver bullet that will eliminate all risk, and it takes a concerted effort to develop a strategy that will mitigate the risk. Here are six steps that can point you in the direction of developing an effective strategy to mitigate the risk to your organization.

  • Realize that your organization has cyber risks. Hackers hack for as many reasons as there are types of victims of hacking: including healthcare companies, credit card companies, manufacturers, and government agencies. The list goes on. Don’t be surprised if your organization is hacked one day.
  • Determine your biggest risks. You’re not going to prevent every single attack, so a good place to start is by determining your most valuable assets: what systems are the most valuable, what information is most sensitive. Tap your key managers to conduct a discovery process across the organization.
  • Put together a cyber risk leadership team. Good governance requires leadership and effective decision-making. Don’t wait until the first attack before assembling your team.
  • Involve your entire organization. As noted earlier, any user who doesn’t understand that cyber security is a priority may inadvertently assist the hackers trying to gain admittance to your systems. Get everyone on board.
  • Don’t protect only the perimeter. Budgets today are still skewed towards perimeter-protecting tools like firewalls and anti-virus programs, but it’s important to have a plan of action for when those perimeters are breached.
  • Practice dry run responses. Don’t let your first attack be a real one. Practice a response ahead of time. It may mean the difference between a contained incident and a disastrous loss.

A mitigation strategy is also important as a tool to help the organization better distinguish between a threat and a genuine loss. Experiencing a breach but containing the damage may, in that case, be considered a success, and help protect the company’s bottom line.

This article originally appeared in the August 2016 issue of Security Today.


Featured Cybersecurity


New Products

  • Camden Door Controls Application Spec Guide

    Camden Door Controls Application Spec Guide

    Camden Door Controls, an industry-leading provider of innovative, high quality door activation and locking products, has published a new application spec guide for specification writers designing a wireless barrier-free restroom control system. 3

  • VideoEdge 2U High Capacity Network Video Recorder

    VideoEdge 2U High Capacity Network Video Recorder

    Johnson Controls announces a powerful recording solution to meet demanding requirements with its VideoEdge 2U High Capacity Network Video Recorder. This solution combines the powerful capabilities of victor with the intelligence of VideoEdge NVRs, fueled by Tyco Artificial Intelligence, for video management that provides actionable insights to save time, money and lives. 3

  • Camden Door Controls ‘SER” Surface Boxes and Extension Rings

    Camden Door Controls ‘SER” Surface Boxes and Extension Rings

    Camden Door Controls has introduced new ‘SER” surface boxes and extension rings that provide a complete solution for new construction. In addition, they provide a simple and robust solution when replacing round wired and manual push plate switches with either Camden’s wired or wireless SureWave™ no-touch switches or Kinetic™ no-battery wireless switches. 3