The Risk Profile

The Risk Profile

Does your surveillance system fit the proper cyber profile?

As surveillance system technologies advance, so do the technologies employed by hackers. Increasingly sophisticated cyber criminals, whether working for criminal enterprises or for foreign governments, are developing not just better, but entirely different, ways to enter and manipulate or undercut the protection of surveillance systems.

What are some of these emerging threats and how can you protect against them?

New Kinds of Threats

Extortion hacks break into sensitive company or customer data and threaten to release it unless the victim pays a ransom. This increasingly popular threat is different than merely encrypting or locking access to the data until a ransom is paid.

Last year there were two known such cases of extortion, the first was an attack on the AshleyMadison.com site. The resulting data dump cost the CEO his job, and it exposed millions of would-be marital cheaters. A second case involved the hacking of InvestBank in the United Arab Emirates and the exposure of customer account information.

Data sabotage will, in all likelihood, be more difficult to detect than simple theft. Since very slight data alterations could result in enormous changes, hackers to the financial and stock-trading systems could create havoc to—and take advantage of—the manipulated rise and fall of stock prices.

A potentially devastating type of data sabotage could result from the insertion of or alteration of code to a country’s weapon systems to change how they operate.

Another threat will come about as the Internet of Things (IoT) spreads to many appliances and other devices. How will anyone be sure their toaster isn’t part of a menacing bot army?

How can we ensure that our connected car won’t be susceptible to hacking? How about life-saving medical devices? Or sophisticated hackers who install back doors to enable access a system whenever the hackers want?

It’s become clear that the likelihood of cyber attacks isn’t a question of “if,” but rather a question of “when.” Now is the time to examine your own surveillance system to identify the inherent weaknesses and cyber vulnerabilities within it, and then develop a strategy to take action and mitigate your risk to exposure and loss.

The Challenges of Advanced Technology

Surveillance VMS make up one of the key elements of today’s security systems, whether monitoring a small private company or a sprawling enterprise. Though the ability to monitor and control locations has never been more important, many systems are migrating from analog to an IP-based or cloud-managed system for the promise of better image resolution, remote access and monitoring, and accompanying analytic software packages.

Unfortunately, better technology may also represent a greater exposure to cyber attacks, as such systems can offer a number of easily accessible entry points for hackers that could compromise entire systems. Just last year there were several notable cyber attacks on both government and private organizations.

  • The Office of Personnel Management was hacked and the addresses, health and financial information of 19.7 million people who had undergone background checks was stolen;
  • The well-publicized breach of the Ashley Madison site last summer resulted in the theft of personal information and credit card information on more than 11 million users;
  • Last fall, it was learned that healthcare insurance company Anthem had been hacked by the Chinese, who were seeking to learn how medical coverage in the United States is managed.

3 Questions to Ask Yourself

In order to ensure that your organization’s security is up to today’s cyber warfare challenges, ask yourself these three questions.

Is cyber defense a priority? As physical security systems continue to merge with the world of IP, it is helpful to start by declaring that cybersecurity is truly a priority for the organization. Cyber attacks continue to grow in both range and severity, and from all accounts it appears they will continue to do so. In today’s world, to not declare that cyber defense is a priority is, in effect, inviting attack. And sooner or later, it will come.

Has my installer or integrator “hardened” my system? To harden a system against intrusion means to heighten its security by reducing the number of potential breach points that could be exploited by hackers. Some installers and integrators are cutting prices in order to remain “competitive,” but if they don’t reduce the number of potential breach points, they are doing you no favors.

Today’s systems are increasingly sophisticated and require a high level of IT experience and knowledge in order to implement them effectively. Also, make sure your system manufacturer didn’t cut any corners by failing to run a full range of testing to determine all software and hardware vulnerabilities of their products.

Are my users a weak link in my security chain? Your own users can become enablers to cyber hacking through the use of weak or default passwords, or through requesting unnecessary remote access privileges to the network. Rest assured that hackers will find the weak links in your security chain, so it’s important to demand that all users accept cyber security as the priority that it is.

6 Steps to Developing a Strategy to Mitigate Risk

Everyone in both government and industry agrees that cyber threats are one of the nation’s gravest threats. Mitigating those threats has attracted both media attention and budget dollars to the tune of $90 billion or more. Yet the threat continues, not just for small companies, but also for Sony, the State Department, and healthcare companies like CareFirst. The truth is that there is no silver bullet that will eliminate all risk, and it takes a concerted effort to develop a strategy that will mitigate the risk. Here are six steps that can point you in the direction of developing an effective strategy to mitigate the risk to your organization.

  • Realize that your organization has cyber risks. Hackers hack for as many reasons as there are types of victims of hacking: including healthcare companies, credit card companies, manufacturers, and government agencies. The list goes on. Don’t be surprised if your organization is hacked one day.
  • Determine your biggest risks. You’re not going to prevent every single attack, so a good place to start is by determining your most valuable assets: what systems are the most valuable, what information is most sensitive. Tap your key managers to conduct a discovery process across the organization.
  • Put together a cyber risk leadership team. Good governance requires leadership and effective decision-making. Don’t wait until the first attack before assembling your team.
  • Involve your entire organization. As noted earlier, any user who doesn’t understand that cyber security is a priority may inadvertently assist the hackers trying to gain admittance to your systems. Get everyone on board.
  • Don’t protect only the perimeter. Budgets today are still skewed towards perimeter-protecting tools like firewalls and anti-virus programs, but it’s important to have a plan of action for when those perimeters are breached.
  • Practice dry run responses. Don’t let your first attack be a real one. Practice a response ahead of time. It may mean the difference between a contained incident and a disastrous loss.

A mitigation strategy is also important as a tool to help the organization better distinguish between a threat and a genuine loss. Experiencing a breach but containing the damage may, in that case, be considered a success, and help protect the company’s bottom line.

This article originally appeared in the August 2016 issue of Security Today.

Featured

  • It's Show Time

    I am one of those people that likes to see things get bigger and better. As advertised, ISC West is going to be bigger (more exhibitors) and better (more attendees). It’s show time in Las Vegas. Read Now

    • Industry Events
    • ISC West
  • SIA Releases New Report on Operational Security Technology

    The Security Industry Association (SIA) has released an impactful new resource – Operational Security Technology: Principles, Challenges and Achieving Mission-Critical Outcomes Leveraging OST. Read Now

  • Cyber Overconfidence Is Leaving Your Organization Vulnerable

    The increased sophistication of cyber threats pumped by the relentless use of AI and machine learning brings forth record-breaking statistics. Cyberattacks grew 44% YoY in 2024, with a weekly average of 1,673 cyberattacks per organization. While organizations up their security game to help thwart these attacks, a critical question remains: Can employees identify a threat when they come across one? A Confidence Gap survey reveals that 86% of employees feel confident in their ability to identify phishing attempts. But things are not as rosy as they appear; the more significant part of the report finds this confidence misplaced. Read Now

  • Mission 500 Debuts Refreshed Identity Ahead of Security 5K/2K at ISC West

    Mission 500, the security industry’s nonprofit charity dedicated to supporting children in need across the US, Canada, and Puerto Rico, has unveiled a refreshed brand identity ahead of ISC West. The charity’s new look includes a modernized logo with refined messaging to reinforce Mission 500’s nearly decade-long commitment to serving the needs of children and families in crisis. Read Now

    • Industry Events

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.