How Cyber Secure Are Your Physical Security Devices

How Cyber Secure Are Your Physical Security Devices?

Protecting the network with your sensitive business data

  • By Vince Ricco
  • May 01, 2015

Are your physical security devices attached to the same network as your sensitive business data? Then, you had better take as much care to cyber secure those devices as you do your wireless access points, printer connections, scanners and other traditional networkattached technology. Any network node left unprotected could become a potential threat to overall network security.

What you need to do to harden your network connections depends on your risk assessment. First identify what assets need protection. Then investigate what threats or vulnerabilities pose a risk to those assets. Once you have that information in hand you can decide whether those risks are worth mitigating. For organizations handling credit card payments and/or patient data, the physical security of stored data—whether in the cloud or an in-house data center—is mandated by law and the financial penalties for non-compliance are significant. For some business owners, the consequences of unauthorized system breaches might be minimal which would influence how much they spend on protection technology.

Sometimes, the solution is as simple as network segmentation either through physical wiring or a VLAN. Separating network resources that shouldn’t interact or have no need to interact with each other increases overall network protection levels and assists in optimizing resource management.

Breaches Aren’t Always the Result of a Frontal Attack

The convergence of so many new technologies on the same network infrastructure has placed an enormous burden on IT departments to pay particular attention to the cyber security of a plethora of non-traditional network-attached devices. Due diligence must be paid to the security configuration of these devices to eliminate exploitation—whether the devices are heating, ventilation and air conditioning (HVAC) controls and monitors; intelligent building automation devices such as smart thermostats, Smart Grid power monitoring and control devices; or networked surveillance cameras and IP-based access control systems.

One recent, highly publicized and massive retail customer data breach stemmed from the hijacked login credentials of a thirdparty HVAC service provider. Typically the HVAC services company would remotely log into the retail stores’ HVAC monitoring systems for maintenance. Cyber hackers followed the same protocol, logging into the system using the stolen services company’s login credentials to gain access to the network. From there they were able to tap into the retailer’s point of sale systems which resided on the same physical network infrastructure. As a result confidential customer data was compromised.

The moral of the story? Keep a close eye on all network connected systems. They could be your Achilles Heel when it comes to securing sensitive corporate and client data. Once you understand what impact a successful breach might have on your business—financial penalties, loss of company reputation and market share, or perhaps negligible repercussions—you can plan your security spending accordingly.

Strategies for Protecting Network Ports

With more companies migrating to IPbased video surveillance and access control systems, both IT and physical security departments need to educate themselves on best practices for protecting these potentially vulnerable network nodes. To help you decide which security mechanisms, policies and procedures to deploy let’s look at how a typical IP-based video system is configured.

Video cameras and access control devices attach over the network to a video and/or access control server. Or, the system can contain multiple servers for load sharing and redundancy. The video can be stored to a local hard drive, a networkattached storage device (NAS), or a server storage array located at a remote data center or in the cloud. The network can also contain video viewing clients that can access video directly from the cameras or through a VMS.

To cyber-harden these physical security component, you need to focus on three areas: user/administrator credential management, physical port security, and video and data flow protection.

User/Administrator credential management: Credential management can be as simple as making sure that default logins and passwords are changed from factory defaults. IT professionals already do this as a default installation and maintenance best practice for networking hardware and attached devices. You can add another layer of protection by creating separate user and administrative logins, passwords and privileges.

IT can install other credential security measures such as multi-factor authentication if the camera/access control manufacturer supports this feature. Many of the major VMS application platforms can help you automate the setup and maintain those attached device credentials.

Physical port security: There are a number of measures you can employ to prevent a device’s removal from the network and the attachment of a laptop or other device configured to spoof the MAC or IP address of the camera or access control pad in order to gain access to the network and network assets. Depending on the capabilities of your network hardware management software, this can be as simple as a port-based MAC address lockdown that requires manual provisioning when a port link is lost and then recovered. This does not address cable tapping, however. In that case more rigorous measures are needed such as onboard credential authentication.

When it comes to defending against network port hijacking, there are a number of network standard authentication measures you can deploy. It all depends on which ones are supported by the cameras and access control devices you’ve installed. For instance, many cameras support basic .X or RADIUS client for edge device authentication. Some camera manufactures support PKI or token-based resident certificate authentication.

The bottom line is that you should include port-based/edge-connection cyber security on all your network edge devices no matter what they are. And the cyber security of those devices should align with the high security standards your company already has in place to protect other devices and data residing on the network.

Video and data flow protection: Protecting the transmission of video or data focuses on preventing the wrong people from putting eyes on or having access to your organization’s video. You can just imagine how tactical it can be for “bad guys” to have visibility inside the walls of your business or what a PR or legal nightmare you’d have on your hands if certain sensitive video footage showed up on YouTube.

The goal is to protect the data flowing from end to end: from the camera or access control device through the network to the server and ultimately the storage device. To achieve that, your first step would be to define the protection scheme you want to deploy and then search out components that can readily integrate into that scheme. For instance, some video system manufacturers support a variety of encryption schemes from edge devices to servers. Other system components support encryption from the servers to the viewing client PCs, laptops and smartphones.

Network camera and access control system encryption generally adhere to IT methodologies standards such as .x, SSL/ TLS, HTTPS, and PKI certificates. There are also appliance-based heavier encryption methods available. But because video transmissions are extremely sensitive to transmission latency, anything short of zero latency encryption will likely disrupt recoding capabilities.

Before you make any decisions about encryption, research what your camera and VMS suppliers recommend. Then, to ensure compatibility across the board, surveillance and physical security decision makers should closely align themselves with IT to confirm that the hardware and software products they plan on deploying will meet IT standards for cyber security.

Know What Security Options are Out There

To keep abreast of what encryption and other physical security technologies are on the horizon and what are currently available on the market, you can surf online content from camera and server manufacturers, participate in physical security seminars and trade shows held in the US and around the world, as well as attend traditional IT tradeshows and events where a sizable number of physical security companies participate as well.

The point is to educate yourself and get involved in cyber-security issues early in the vendor selection process whether you own the solution or are supporting the solution on your company’s network infrastructure.

This article originally appeared in the May 2015 issue of Security Today.

Featured

  • Video Surveillance Trends to Watch

    With more organizations adding newer capabilities to their surveillance systems, it’s always important to remember the “basics” of system configuration and deployment, as well as the topline benefits of continually emerging technologies like AI and the cloud. Read Now

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services

  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

Most   Popular

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”