Layered Approach

Layered Approach

IoT is used to create smart homes, buildings and numerous other end points

The security department has long held responsibility for the physical protection of assets, infrastructure and people. The operation and protection of electronic data systems has been the responsibility of the IT department. Today, we increasingly see the blurring of these lines with the movement of surveillance, access control, life safety and other physical security systems onto IP-based network technology.

The IT approach to layered security for systems, infrastructure and data is increasingly impacting the security department, and with good reason. Recent cyberattacks have revealed vulnerabilities beyond traditional IT systems and infrastructure, uncovering the potential threat of attack on and through a wider range of network connected devices. The Internet of Things (IoT) is rapidly growing as network connectivity blurs the line between computing devices, appliances, vehicles and industrial equipment. IoT is used to create smart homes and buildings, network enabled appliances, aircraft, automobiles, ships and trains. It is found across every market segment. While consumers and industry professionals are excited about the benefits, cybersecurity experts increasingly warn about the vulnerabilities that IoT introduces to traditionally secure infrastructure.

Many manufacturers of surveillance cameras, access control and other security systems have considered their products to be edge devices, relying on the IT department to provide network protection in limiting access only to those authorized to do so. This view is changing as more manufacturers and their customers understand that any device connected to the network requires basic cybersecurity protection in the current threat environment.

Akamai, a vendor of content delivery network services, detailed in its Q3 2015 State of the Internet Security Report a 180 percent yearover- year increase from 2014 to 2015 in Distributed Denial of Service (DDoS) attacks. Other sources agree that attacks are dramatically increasing. Verisign, a Virginia-based infrastructure and security company, reported in the Verisign Distributed Denial of Service Trends Report for the 2nd quarter of 2016 that that the frequency of DDoS cyberattacks increased by 75 percent from the same period a year before. Industry analyst Gartner estimated in a 2014 press release that by 2020 more than 25 percent of identified attacks on enterprises will involve IoT network devices.

Security systems are not immune. The September 2016 attack on Krebsecurity.com and France-based Internet hosting firm OHV was executed using over 140,000 network cameras and DVRs. The devices were transformed into robotic attackers or “bots” by an infection of the Mirai malware.

The Washington Post reported that 70 percent of the video cameras across the U.S. capital were infected with ransomware. 123 of 187 NVRs had their data encrypted by the infection in the days prior to the Trump Presidential Inauguration in January 2017. Other network- enabled cameras and DVRs have been reported in the media to secretly connect to sites in China. Data, video and images have reportedly been uploaded to these remote locations without the consent or awareness of the user. Other cameras have been infected with malware within seconds of being connected to the Internet, or as being easily hacked.

While there is reason for action and a need for more education, there is no cause for panic as the security industry is responding. The challenge faced by manufacturers of network-enabled security products— including surveillance cameras—is to balance ease of installation and ongoing operation with the protection of the device, the network and the connected infrastructure.

A product with extremely strong cybersecurity protection may turn away customers by being too restrictive or complex for their needs. Conversely, a product that is exceptionally easy to setup and use may be a gateway to cyberattack.

Finding the balance between these two factors while meeting the requirements of IT is a challenge to be solved by manufacturers. Arecont Vision relies on its in-house developed Massively Parallel Image Processing architecture and FPGA (field programmable gate array) technology to eliminate or mitigate cybersecurity risks and enable camera updates. The company also takes that further by developing its own feature and not licensing third-party code for core features. This eliminates the risk of hidden backdoors or of malicious code lurking unsuspected and undetected. Other manufacturers will have their own approaches to cybersecurity.

Being prepared is the best cybersecurity defense, regardless of the products used. The following dozen recommendations are starting points for any security organization formulating their own cybersecurity polices.

Choose products that provide security protection while balancing the user experience. Only devices that include basic security protection such user IDs and 16 digit ASCII passwords should be allowed on the network. The administration interface must balance ease of installation with adequate cybersecurity protection, without making the device unduly complicated to use and manage.

Segregate the network. Good design policy is to separate and firewall cameras, access control, alarm, sensors, and IT systems onto individual networks or sub-nets. Sharing a single network between different applications increases the risk of both performance issues, and both exposure to and the success of a cyberattack. Eliminating unnecessary connections to the wider corporate network and to the global Internet can also reduce the risk of successful cyberattacks.

Update firmware. All cameras, servers, NVRs/DVRs, storage devices, switches, routers, WiFi access points and any other networkconnected devices should be regularly updated with the latest available manufacturer firmware to eliminate security holes. No device that cannot be fully updated with new security measures, features or enhancements should ever be connected to the network, and a policy should be enforced to ensuring such updates are performed.

Limit authorization and access to only those who need it. Limit physical and network access to individual systems, data and infrastructure to only those who require that access. Enforce password changes on an appropriate cycle and with any departure of employees and contractors formerly with access.

Change default password settings. An increasing number of cyberattacks are made using default IDs and passwords. Cameras, DVRs and other security systems now join computers, storage and security systems as potential network access points for a cyberattack, and often have less security included.

No device should be allowed to connect to the network until the default user ID and password have been reset after commissioning. Organizations should have a strong password policy that defines password rules and frequently requires password changes. Use a secure password management system to keep track.

Virus scan any device or media before attaching it to the network. All computers and media used to install or update network cameras, servers, NVRs or storage devices should be virus scanned with up-todate protection/detection software for malignant code before being connected to or loaded into a shared network.

Apply special protection to cameras covering sensitive areas and limit access. Laws limit where video recording can occur, what can be recorded, what use can be made of it, and even who can view it. The security system designer needs to be an expert on these local requirements and adhere to them.

A good policy is to never install a camera anywhere you would not want others to see the scene being covered. Sensitive areas or personal space may not be the best choice for a camera location, particularly with the risk of a cyberattack.

Educate your team. Employees need to be aware and educated of the risks and challenges of cybersecurity prevention, detection, mitigation and recovery in advance of an incident. Accidental or unintentional exposure is major risk factor in exposing a business or organization to cyberattack, and education is the best defense.

Integrate and follow IT and security department guidelines for devices and access. Integrate with established IT and security department guidelines. Follow industry guidelines, policies and regulations as best practices to address everything from remote access, cloud networks, unsecured networks, Bring Your Own Device (BYOD) policies, network monitoring and data safekeeping.

Conduct regular cybersecurity reviews and assessments. Both the IT and security departments should conduct regular cybersecurity reviews and assessments of their infrastructure, systems and policies throughout the year.

Preplan for cyberattack responses. Many organizations have risk assessment and response strategies, designed for a wide range of potential disasters and catastrophic events. Cybersecurity needs to be included to deal with mitigation and recovery in the event of any incident.

Build and keep a disaster recovery up to date. Have a disaster recovery plan in place before a catastrophic failure or data breach occurs. Be sure to keep the plan up to date. Consider making commercial cybersecurity insurance part of the program.

Establishing these types of security policy recommendations, tailored to fit the needs of the organization, will prevent many cybersecurity risks and help to mitigate the impact of those that are not.

Employee education is also of critical importance. Organizations such as the Security Industry Association, ASIS International, the Cybersecurity Policy and Research Institute, the Electronic Privacy Information Center, and many colleges and universities are among many that offer actionable information on cybersecurity. They are excellent places to start learning more about how to protect an organization.

By taking these actions, organizations can be well on their way to cybersecurity awareness and protection.

This article originally appeared in the May 2017 issue of Security Today.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3