Layered Approach

Layered Approach

IoT is used to create smart homes, buildings and numerous other end points

The security department has long held responsibility for the physical protection of assets, infrastructure and people. The operation and protection of electronic data systems has been the responsibility of the IT department. Today, we increasingly see the blurring of these lines with the movement of surveillance, access control, life safety and other physical security systems onto IP-based network technology.

The IT approach to layered security for systems, infrastructure and data is increasingly impacting the security department, and with good reason. Recent cyberattacks have revealed vulnerabilities beyond traditional IT systems and infrastructure, uncovering the potential threat of attack on and through a wider range of network connected devices. The Internet of Things (IoT) is rapidly growing as network connectivity blurs the line between computing devices, appliances, vehicles and industrial equipment. IoT is used to create smart homes and buildings, network enabled appliances, aircraft, automobiles, ships and trains. It is found across every market segment. While consumers and industry professionals are excited about the benefits, cybersecurity experts increasingly warn about the vulnerabilities that IoT introduces to traditionally secure infrastructure.

Many manufacturers of surveillance cameras, access control and other security systems have considered their products to be edge devices, relying on the IT department to provide network protection in limiting access only to those authorized to do so. This view is changing as more manufacturers and their customers understand that any device connected to the network requires basic cybersecurity protection in the current threat environment.

Akamai, a vendor of content delivery network services, detailed in its Q3 2015 State of the Internet Security Report a 180 percent yearover- year increase from 2014 to 2015 in Distributed Denial of Service (DDoS) attacks. Other sources agree that attacks are dramatically increasing. Verisign, a Virginia-based infrastructure and security company, reported in the Verisign Distributed Denial of Service Trends Report for the 2nd quarter of 2016 that that the frequency of DDoS cyberattacks increased by 75 percent from the same period a year before. Industry analyst Gartner estimated in a 2014 press release that by 2020 more than 25 percent of identified attacks on enterprises will involve IoT network devices.

Security systems are not immune. The September 2016 attack on Krebsecurity.com and France-based Internet hosting firm OHV was executed using over 140,000 network cameras and DVRs. The devices were transformed into robotic attackers or “bots” by an infection of the Mirai malware.

The Washington Post reported that 70 percent of the video cameras across the U.S. capital were infected with ransomware. 123 of 187 NVRs had their data encrypted by the infection in the days prior to the Trump Presidential Inauguration in January 2017. Other network- enabled cameras and DVRs have been reported in the media to secretly connect to sites in China. Data, video and images have reportedly been uploaded to these remote locations without the consent or awareness of the user. Other cameras have been infected with malware within seconds of being connected to the Internet, or as being easily hacked.

While there is reason for action and a need for more education, there is no cause for panic as the security industry is responding. The challenge faced by manufacturers of network-enabled security products— including surveillance cameras—is to balance ease of installation and ongoing operation with the protection of the device, the network and the connected infrastructure.

A product with extremely strong cybersecurity protection may turn away customers by being too restrictive or complex for their needs. Conversely, a product that is exceptionally easy to setup and use may be a gateway to cyberattack.

Finding the balance between these two factors while meeting the requirements of IT is a challenge to be solved by manufacturers. Arecont Vision relies on its in-house developed Massively Parallel Image Processing architecture and FPGA (field programmable gate array) technology to eliminate or mitigate cybersecurity risks and enable camera updates. The company also takes that further by developing its own feature and not licensing third-party code for core features. This eliminates the risk of hidden backdoors or of malicious code lurking unsuspected and undetected. Other manufacturers will have their own approaches to cybersecurity.

Being prepared is the best cybersecurity defense, regardless of the products used. The following dozen recommendations are starting points for any security organization formulating their own cybersecurity polices.

Choose products that provide security protection while balancing the user experience. Only devices that include basic security protection such user IDs and 16 digit ASCII passwords should be allowed on the network. The administration interface must balance ease of installation with adequate cybersecurity protection, without making the device unduly complicated to use and manage.

Segregate the network. Good design policy is to separate and firewall cameras, access control, alarm, sensors, and IT systems onto individual networks or sub-nets. Sharing a single network between different applications increases the risk of both performance issues, and both exposure to and the success of a cyberattack. Eliminating unnecessary connections to the wider corporate network and to the global Internet can also reduce the risk of successful cyberattacks.

Update firmware. All cameras, servers, NVRs/DVRs, storage devices, switches, routers, WiFi access points and any other networkconnected devices should be regularly updated with the latest available manufacturer firmware to eliminate security holes. No device that cannot be fully updated with new security measures, features or enhancements should ever be connected to the network, and a policy should be enforced to ensuring such updates are performed.

Limit authorization and access to only those who need it. Limit physical and network access to individual systems, data and infrastructure to only those who require that access. Enforce password changes on an appropriate cycle and with any departure of employees and contractors formerly with access.

Change default password settings. An increasing number of cyberattacks are made using default IDs and passwords. Cameras, DVRs and other security systems now join computers, storage and security systems as potential network access points for a cyberattack, and often have less security included.

No device should be allowed to connect to the network until the default user ID and password have been reset after commissioning. Organizations should have a strong password policy that defines password rules and frequently requires password changes. Use a secure password management system to keep track.

Virus scan any device or media before attaching it to the network. All computers and media used to install or update network cameras, servers, NVRs or storage devices should be virus scanned with up-todate protection/detection software for malignant code before being connected to or loaded into a shared network.

Apply special protection to cameras covering sensitive areas and limit access. Laws limit where video recording can occur, what can be recorded, what use can be made of it, and even who can view it. The security system designer needs to be an expert on these local requirements and adhere to them.

A good policy is to never install a camera anywhere you would not want others to see the scene being covered. Sensitive areas or personal space may not be the best choice for a camera location, particularly with the risk of a cyberattack.

Educate your team. Employees need to be aware and educated of the risks and challenges of cybersecurity prevention, detection, mitigation and recovery in advance of an incident. Accidental or unintentional exposure is major risk factor in exposing a business or organization to cyberattack, and education is the best defense.

Integrate and follow IT and security department guidelines for devices and access. Integrate with established IT and security department guidelines. Follow industry guidelines, policies and regulations as best practices to address everything from remote access, cloud networks, unsecured networks, Bring Your Own Device (BYOD) policies, network monitoring and data safekeeping.

Conduct regular cybersecurity reviews and assessments. Both the IT and security departments should conduct regular cybersecurity reviews and assessments of their infrastructure, systems and policies throughout the year.

Preplan for cyberattack responses. Many organizations have risk assessment and response strategies, designed for a wide range of potential disasters and catastrophic events. Cybersecurity needs to be included to deal with mitigation and recovery in the event of any incident.

Build and keep a disaster recovery up to date. Have a disaster recovery plan in place before a catastrophic failure or data breach occurs. Be sure to keep the plan up to date. Consider making commercial cybersecurity insurance part of the program.

Establishing these types of security policy recommendations, tailored to fit the needs of the organization, will prevent many cybersecurity risks and help to mitigate the impact of those that are not.

Employee education is also of critical importance. Organizations such as the Security Industry Association, ASIS International, the Cybersecurity Policy and Research Institute, the Electronic Privacy Information Center, and many colleges and universities are among many that offer actionable information on cybersecurity. They are excellent places to start learning more about how to protect an organization.

By taking these actions, organizations can be well on their way to cybersecurity awareness and protection.

This article originally appeared in the May 2017 issue of Security Today.

Featured

  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Making Safety and Security Intrinsic to School Design

    Public anxieties about school safety are escalating across the country. According to a 2023 Gallup report, 44% of parents fear for their child’s physical safety at school, a 10 percentage-point increase since 2019. Unfortunately, these fears are likely to increase if the incidence of school tragedies continues to mount. As a result, school leaders are now charged with two non-negotiable responsibilities. The first, as always, is to ensure kids have what they need to learn, grow, and thrive. Sadly, their second responsibility is to keep the children in their care safe from threats and physical danger. Read Now

  • The Power of a Layered Approach to Safety

    In a perfect world, every school would have an unlimited budget to help secure their schools. In reality, schools must prioritize what budget they have while navigating the complexities surrounding school security and lockdown. Read Now

  • How a Security System Can Enhance Arena Safety and the Fan Experience

    Ensuring guests have both a memorable experience and a safe one is no small feat for your physical security team. Stadiums, ballparks, arenas, and other large event venues are increasingly leveraging new technologies to transform the fan experience and maintain a high level of security. The goal is to preserve the integrity and excitement of the event while enhancing security and remaining “behind the scenes.” Read Now

Featured Cybersecurity

Webinars

New Products

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3