The Risk Profile

The Risk Profile

Does your surveillance system fit the proper cyber profile?

As surveillance system technologies advance, so do the technologies employed by hackers. Increasingly sophisticated cyber criminals, whether working for criminal enterprises or for foreign governments, are developing not just better, but entirely different, ways to enter and manipulate or undercut the protection of surveillance systems.

What are some of these emerging threats and how can you protect against them?

New Kinds of Threats

Extortion hacks break into sensitive company or customer data and threaten to release it unless the victim pays a ransom. This increasingly popular threat is different than merely encrypting or locking access to the data until a ransom is paid.

Last year there were two known such cases of extortion, the first was an attack on the AshleyMadison.com site. The resulting data dump cost the CEO his job, and it exposed millions of would-be marital cheaters. A second case involved the hacking of InvestBank in the United Arab Emirates and the exposure of customer account information.

Data sabotage will, in all likelihood, be more difficult to detect than simple theft. Since very slight data alterations could result in enormous changes, hackers to the financial and stock-trading systems could create havoc to—and take advantage of—the manipulated rise and fall of stock prices.

A potentially devastating type of data sabotage could result from the insertion of or alteration of code to a country’s weapon systems to change how they operate.

Another threat will come about as the Internet of Things (IoT) spreads to many appliances and other devices. How will anyone be sure their toaster isn’t part of a menacing bot army?

How can we ensure that our connected car won’t be susceptible to hacking? How about life-saving medical devices? Or sophisticated hackers who install back doors to enable access a system whenever the hackers want?

It’s become clear that the likelihood of cyber attacks isn’t a question of “if,” but rather a question of “when.” Now is the time to examine your own surveillance system to identify the inherent weaknesses and cyber vulnerabilities within it, and then develop a strategy to take action and mitigate your risk to exposure and loss.

The Challenges of Advanced Technology

Surveillance VMS make up one of the key elements of today’s security systems, whether monitoring a small private company or a sprawling enterprise. Though the ability to monitor and control locations has never been more important, many systems are migrating from analog to an IP-based or cloud-managed system for the promise of better image resolution, remote access and monitoring, and accompanying analytic software packages.

Unfortunately, better technology may also represent a greater exposure to cyber attacks, as such systems can offer a number of easily accessible entry points for hackers that could compromise entire systems. Just last year there were several notable cyber attacks on both government and private organizations.

  • The Office of Personnel Management was hacked and the addresses, health and financial information of 19.7 million people who had undergone background checks was stolen;
  • The well-publicized breach of the Ashley Madison site last summer resulted in the theft of personal information and credit card information on more than 11 million users;
  • Last fall, it was learned that healthcare insurance company Anthem had been hacked by the Chinese, who were seeking to learn how medical coverage in the United States is managed.

3 Questions to Ask Yourself

In order to ensure that your organization’s security is up to today’s cyber warfare challenges, ask yourself these three questions.

Is cyber defense a priority? As physical security systems continue to merge with the world of IP, it is helpful to start by declaring that cybersecurity is truly a priority for the organization. Cyber attacks continue to grow in both range and severity, and from all accounts it appears they will continue to do so. In today’s world, to not declare that cyber defense is a priority is, in effect, inviting attack. And sooner or later, it will come.

Has my installer or integrator “hardened” my system? To harden a system against intrusion means to heighten its security by reducing the number of potential breach points that could be exploited by hackers. Some installers and integrators are cutting prices in order to remain “competitive,” but if they don’t reduce the number of potential breach points, they are doing you no favors.

Today’s systems are increasingly sophisticated and require a high level of IT experience and knowledge in order to implement them effectively. Also, make sure your system manufacturer didn’t cut any corners by failing to run a full range of testing to determine all software and hardware vulnerabilities of their products.

Are my users a weak link in my security chain? Your own users can become enablers to cyber hacking through the use of weak or default passwords, or through requesting unnecessary remote access privileges to the network. Rest assured that hackers will find the weak links in your security chain, so it’s important to demand that all users accept cyber security as the priority that it is.

6 Steps to Developing a Strategy to Mitigate Risk

Everyone in both government and industry agrees that cyber threats are one of the nation’s gravest threats. Mitigating those threats has attracted both media attention and budget dollars to the tune of $90 billion or more. Yet the threat continues, not just for small companies, but also for Sony, the State Department, and healthcare companies like CareFirst. The truth is that there is no silver bullet that will eliminate all risk, and it takes a concerted effort to develop a strategy that will mitigate the risk. Here are six steps that can point you in the direction of developing an effective strategy to mitigate the risk to your organization.

  • Realize that your organization has cyber risks. Hackers hack for as many reasons as there are types of victims of hacking: including healthcare companies, credit card companies, manufacturers, and government agencies. The list goes on. Don’t be surprised if your organization is hacked one day.
  • Determine your biggest risks. You’re not going to prevent every single attack, so a good place to start is by determining your most valuable assets: what systems are the most valuable, what information is most sensitive. Tap your key managers to conduct a discovery process across the organization.
  • Put together a cyber risk leadership team. Good governance requires leadership and effective decision-making. Don’t wait until the first attack before assembling your team.
  • Involve your entire organization. As noted earlier, any user who doesn’t understand that cyber security is a priority may inadvertently assist the hackers trying to gain admittance to your systems. Get everyone on board.
  • Don’t protect only the perimeter. Budgets today are still skewed towards perimeter-protecting tools like firewalls and anti-virus programs, but it’s important to have a plan of action for when those perimeters are breached.
  • Practice dry run responses. Don’t let your first attack be a real one. Practice a response ahead of time. It may mean the difference between a contained incident and a disastrous loss.

A mitigation strategy is also important as a tool to help the organization better distinguish between a threat and a genuine loss. Experiencing a breach but containing the damage may, in that case, be considered a success, and help protect the company’s bottom line.

This article originally appeared in the August 2016 issue of Security Today.

Featured

  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity

Webinars

New Products

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3