Top 5 Cybersecurity Strategies Integrators Need to Learn

As cyberthreats to video surveillance systems continue to increase, there is high demand from end-users for the channel to be knowledgeable and prepared to mitigate cybersecurity risks. Ongoing education is critical for both security and IT employees, preparing them to work together as cybersecurity experts.

According to a 2019 McKinsey report on transforming cybersecurity, responding to cyberthreats requires comprehensive and collaborative efforts between the security and IT teams. Traditionally, many companies distinguish between physical and information security, between information technology and operational technology, and between in-house and external security. In the digital age, these splits are obsolete. Scattered and fragmented responsibility can put the entire organization at risk.

Here are the top five most effective cybersecurity strategies to focus on when training the channel to combat cyberattacks:

1. Isolate the device network from other networks

The tiered system architecture of a video management system (VMS) makes it possible to separate the device network and the core server/client network. The device network is where cameras, microphones, speakers, I/O devices and other supported IP devices are located. With the recording server as a connection point between the device and the client networks, there is no direct routing between the two network segments. This means that a cyberattack on either network will not spread to—or outside of—the device network.

Isolating the device network is perhaps the single most important security configuration measure. For example, a small school may use a flat network configuration where the recording server and management server are both connected to the device network. The recording server communicates with the devices. In addition, the rest of the school's computers may be connected to the same network. Staff members log into the VMS from their workstations when needed.

There is nothing wrong with a flat network configuration from a technical perspective, but it's not good for security. In this example, the computer labs and staff computers have direct access to cameras. If a malicious user has device access, it doesn't matter how good the protections are elsewhere. Optimally, only the recording servers should have access to the cameras. The simplest fix is to isolate the device network by using a second network interface on the recording server.

In addition to isolating the device network, all devices should use strong, non-default passwords to mitigate other potential issues.

2. Educate employees about security threats

Education and awareness are critical in teaching employees how to identify and counteract a variety of cyberthreats. Consider establishing cybersecurity awareness training that covers gaps in protection that many organizations must mitigate, including human, technological and physical vulnerabilities.

Malicious individuals often resort to social engineering because they find that human targets are the easiest to exploit and the rewards are the greatest. Social engineering is a set of tactics that attackers use to get valuable information from another person. This can be done in a variety of ways, but all rely on people’s natural tendency to be polite and trust one another. Often the victim has no idea that there is even a threat.

For example, spam and phishing e-mails try to trick users into clicking a link or opening an attachment that will actually install malware. Tailgating refers to a situation where an outsider enters a building behind an authorized employee, before the door closes. Baiting is when a USB drive or other storage medium is intentionally left behind in the hope that a company employee will insert it into their computer and execute malware. This could also include other items, like gifts that have microphones or other surveillance equipment embedded.

Attackers commonly call internal technical support pretending to be a person of high status, or otherwise give a sense of urgency and credibility. For example, the caller might request a password reset because of an urgent need to access a system. The technical support representative may feel pressured because of the high status of the caller, and make an exception and change the password over the phone.

Cybersecurity training prepares employees to learn how to handle social engineering situations with a healthy level of skepticism, to harden VMS and IT systems, and to protect physical assets like server rooms and cameras.

3. Use Active Directory for user and computer management

Active Directory (AD) is a centralized user management system that authenticates and authorizes users and computers in a domain. It also assigns and enforces group policies for all computers, including security settings.

User management is an important aspect in cybersecurity. Without a central user database, multiple user accounts on different systems can be difficult and time consuming to manage. By using a centralized system like AD, users can be added and deleted in just one place, and the change is applied across the entire system. This stops former employees and contractors from regaining access to systems where it wasn’t revoked due to a simple human error. AD's centralized structure simplifies many IT tasks, minimizing mistakes that occur in a decentralized set up.

Other benefits include user authentication in AD, which has built-in protections against common cyberattacks. Group Policy can manage many everyday IT security tasks like password policy and computer security settings. Kerberos authentication adds another level of security in verifying the identity of a user or host.

4. Enable encryption at every stage necessary

One of the most important security improvements seen both on the web and the VMS space over the last several years is encryption. When the data is sensitive and there is a chance for unauthorized access either by eavesdropping on network traffic or accessing stored data, encryption is the right tool to protect it.

As a rule of thumb, device data flows through multiple steps. First it is received over the network by a recording server. Then it may or may not be recorded on disk depending on the system configuration. Client applications request live or recorded data on demand. Finally, if deemed necessary, the data may be exported and handed over to authorities. All of these stages pose cybersecurity risks as well as privacy risks for the subjects in the data. Using encryption in every stage avoids unauthorized access.

Attackers can intercept data with techniques like port mirroring or ARP spoofing. Encryption prevents hackers from being able to read the data content, even if they were able to intercept it. Web servers, virtual private networks (VPNs) and other technologies commonly use transport layer security (TLS) as a method to encrypt data in transit through the network.

5. Control network traffic by segmenting VMS, client and business networks

Network segmentation is an effective but often overlooked security measure. Different networks can be separated from each other by a firewall appliance, or by total isolation through a physically separated switching infrastructure for different systems. In the VMS industry, total isolation of networks is often the standard approach. This eliminates all kinds of threats originating from other networks.

More commonly, however, the networks are separated using a firewall appliance and virtual local area networks (VLANs). This approach makes it more difficult for attackers to move from one network to another if they gain access. It also improves network management by concentrating firewall rules in one place.

Many organizations already have a central firewall/router network appliance. Usually it handles traffic to and from the internet. That same equipment also can handle several internal networks, so different types of systems can be segmented into their own networks.

Continuing the previous example of a small school network, the device network is now isolated from other networks, but everything else is still on the same segment, including the VMS, school staff systems and student computer labs. That's not the best scenario. To improve network security, one VLAN should be created for the VMS and another for the school staff. Most importantly, students should be set up in their own VLAN without access to the staff or VMS networks. The school’s firewall appliance will handle routing between the VLANs. Using a firewall appliance to handle traffic between network segments allows complete control.

Trained and Cybersecurity Ready

By understanding human vulnerabilities to cyberattacks as well as network and device risks, the channel can effectively learn how to mitigate increasingly volatile cyberthreats.

Featured

  • The Need for a Comprehensive Strategy Addressing Cybersecurity and Quantum Technology

    The Need for a Comprehensive Strategy Addressing Cybersecurity and Quantum Technology

    Over the past two years, the Biden Administration has taken a series of steps centered on quantum and cybersecurity. Read Now

  • IoT Saves the Day

    IoT Saves the Day

    Today, creating a safe environment across schools, hotels, office buildings, housing complexes and other facilities has become a necessity. There are so many dangers lurking in buildings of all sizes and shapes from fire hazards, vaping issues, chemical/air quality issues, intruders and so much more. Read Now

  • One Pane, Less Pain

    One Pane, Less Pain

    Just because a solution is built on an open-standards platform doesn’t ensure that all the vendors’ systems will work together as promised. Some features may not be supported, or not supported to their fullest potential. Read Now

  • Revamping Wrigley Field

    Revamping Wrigley Field

    When talking about baseball in the United States, it’s hard not to think of the Chicago Cubs and Wrigley Field. With a history spanning more than 100 years, the Chicago Cubs are one of the most recognized teams in professional sports. Read Now

Featured Cybersecurity

Webinars

New Products

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance. 3

  • Camden Door Controls ‘SER” Surface Boxes and Extension Rings

    Camden Door Controls ‘SER” Surface Boxes and Extension Rings

    Camden Door Controls has introduced new ‘SER” surface boxes and extension rings that provide a complete solution for new construction. In addition, they provide a simple and robust solution when replacing round wired and manual push plate switches with either Camden’s wired or wireless SureWave™ no-touch switches or Kinetic™ no-battery wireless switches. 3

  • Unique Oversized ID Card Printer

    Unique Oversized ID Card Printer

    Idesco Corp. is announcing its card printer – the XCR100 2.0 printer- that allows customers to personalize oversized ID cards on demand. The printer is ideal for assisting healthcare organizations find the right badging solution. As healthcare facilities continue to combat the spread of COVID-19, issuing oversized ID cards has helped identify staff clearly while adding an extra layer of security. The XCR100 2.0 printer is the only dye-sublimation printer on the market that can personalize CR100 cards (3.88" x 2.63"). The cards that are 42% larger than the standard credit card size. The printer can produce up to 180 full cards per hour in color, and up to 1,400 cards per hour in monochrome. An optional flipper is available to print dual-sided badges in one pass. Contactless encoding comes as an option to help healthcare facilities produce secure access badges on demand and the card printer features a 2-year warranty. 3