Top 5 Cybersecurity Strategies Integrators Need to Learn

  • By Evan Stuckless
  • Apr 20, 2020

As cyberthreats to video surveillance systems continue to increase, there is high demand from end-users for the channel to be knowledgeable and prepared to mitigate cybersecurity risks. Ongoing education is critical for both security and IT employees, preparing them to work together as cybersecurity experts.

According to a 2019 McKinsey report on transforming cybersecurity, responding to cyberthreats requires comprehensive and collaborative efforts between the security and IT teams. Traditionally, many companies distinguish between physical and information security, between information technology and operational technology, and between in-house and external security. In the digital age, these splits are obsolete. Scattered and fragmented responsibility can put the entire organization at risk.

Here are the top five most effective cybersecurity strategies to focus on when training the channel to combat cyberattacks:

1. Isolate the device network from other networks

The tiered system architecture of a video management system (VMS) makes it possible to separate the device network and the core server/client network. The device network is where cameras, microphones, speakers, I/O devices and other supported IP devices are located. With the recording server as a connection point between the device and the client networks, there is no direct routing between the two network segments. This means that a cyberattack on either network will not spread to—or outside of—the device network.

Isolating the device network is perhaps the single most important security configuration measure. For example, a small school may use a flat network configuration where the recording server and management server are both connected to the device network. The recording server communicates with the devices. In addition, the rest of the school's computers may be connected to the same network. Staff members log into the VMS from their workstations when needed.

There is nothing wrong with a flat network configuration from a technical perspective, but it's not good for security. In this example, the computer labs and staff computers have direct access to cameras. If a malicious user has device access, it doesn't matter how good the protections are elsewhere. Optimally, only the recording servers should have access to the cameras. The simplest fix is to isolate the device network by using a second network interface on the recording server.

In addition to isolating the device network, all devices should use strong, non-default passwords to mitigate other potential issues.

2. Educate employees about security threats

Education and awareness are critical in teaching employees how to identify and counteract a variety of cyberthreats. Consider establishing cybersecurity awareness training that covers gaps in protection that many organizations must mitigate, including human, technological and physical vulnerabilities.

Malicious individuals often resort to social engineering because they find that human targets are the easiest to exploit and the rewards are the greatest. Social engineering is a set of tactics that attackers use to get valuable information from another person. This can be done in a variety of ways, but all rely on people’s natural tendency to be polite and trust one another. Often the victim has no idea that there is even a threat.

For example, spam and phishing e-mails try to trick users into clicking a link or opening an attachment that will actually install malware. Tailgating refers to a situation where an outsider enters a building behind an authorized employee, before the door closes. Baiting is when a USB drive or other storage medium is intentionally left behind in the hope that a company employee will insert it into their computer and execute malware. This could also include other items, like gifts that have microphones or other surveillance equipment embedded.

Attackers commonly call internal technical support pretending to be a person of high status, or otherwise give a sense of urgency and credibility. For example, the caller might request a password reset because of an urgent need to access a system. The technical support representative may feel pressured because of the high status of the caller, and make an exception and change the password over the phone.

Cybersecurity training prepares employees to learn how to handle social engineering situations with a healthy level of skepticism, to harden VMS and IT systems, and to protect physical assets like server rooms and cameras.

3. Use Active Directory for user and computer management

Active Directory (AD) is a centralized user management system that authenticates and authorizes users and computers in a domain. It also assigns and enforces group policies for all computers, including security settings.

User management is an important aspect in cybersecurity. Without a central user database, multiple user accounts on different systems can be difficult and time consuming to manage. By using a centralized system like AD, users can be added and deleted in just one place, and the change is applied across the entire system. This stops former employees and contractors from regaining access to systems where it wasn’t revoked due to a simple human error. AD's centralized structure simplifies many IT tasks, minimizing mistakes that occur in a decentralized set up.

Other benefits include user authentication in AD, which has built-in protections against common cyberattacks. Group Policy can manage many everyday IT security tasks like password policy and computer security settings. Kerberos authentication adds another level of security in verifying the identity of a user or host.

4. Enable encryption at every stage necessary

One of the most important security improvements seen both on the web and the VMS space over the last several years is encryption. When the data is sensitive and there is a chance for unauthorized access either by eavesdropping on network traffic or accessing stored data, encryption is the right tool to protect it.

As a rule of thumb, device data flows through multiple steps. First it is received over the network by a recording server. Then it may or may not be recorded on disk depending on the system configuration. Client applications request live or recorded data on demand. Finally, if deemed necessary, the data may be exported and handed over to authorities. All of these stages pose cybersecurity risks as well as privacy risks for the subjects in the data. Using encryption in every stage avoids unauthorized access.

Attackers can intercept data with techniques like port mirroring or ARP spoofing. Encryption prevents hackers from being able to read the data content, even if they were able to intercept it. Web servers, virtual private networks (VPNs) and other technologies commonly use transport layer security (TLS) as a method to encrypt data in transit through the network.

5. Control network traffic by segmenting VMS, client and business networks

Network segmentation is an effective but often overlooked security measure. Different networks can be separated from each other by a firewall appliance, or by total isolation through a physically separated switching infrastructure for different systems. In the VMS industry, total isolation of networks is often the standard approach. This eliminates all kinds of threats originating from other networks.

More commonly, however, the networks are separated using a firewall appliance and virtual local area networks (VLANs). This approach makes it more difficult for attackers to move from one network to another if they gain access. It also improves network management by concentrating firewall rules in one place.

Many organizations already have a central firewall/router network appliance. Usually it handles traffic to and from the internet. That same equipment also can handle several internal networks, so different types of systems can be segmented into their own networks.

Continuing the previous example of a small school network, the device network is now isolated from other networks, but everything else is still on the same segment, including the VMS, school staff systems and student computer labs. That's not the best scenario. To improve network security, one VLAN should be created for the VMS and another for the school staff. Most importantly, students should be set up in their own VLAN without access to the staff or VMS networks. The school’s firewall appliance will handle routing between the VLANs. Using a firewall appliance to handle traffic between network segments allows complete control.

Trained and Cybersecurity Ready

By understanding human vulnerabilities to cyberattacks as well as network and device risks, the channel can effectively learn how to mitigate increasingly volatile cyberthreats.

Featured

  • Data Driven, Proactive Response

    As cities face rising demands for smarter policing and faster emergency response, Real Time Crime Centers (RTCCs) are emerging as essential hubs for data-driven public safety. In this interview, two experts with deep field experience — Ross Bourgeois of New Orleans and Dean Cunningham of Axis Communications — draw on decades of operational, leadership and technology expertise to share how RTCCs are transforming public safety through innovation, interagency collaboration and a relentless focus on community impact. Read Now

  • Integration Imagination: The Future of Connected Operations

    Security teams that collaborate cross-functionally and apply imagination and creativity to envision and design their ideal integrated ecosystem will have the biggest upside to corporate security and operational benefits. Read Now

  • Smarter Access Starts with Flexibility

    Today’s workplaces are undergoing a rapid evolution, driven by hybrid work models, emerging smart technologies, and flexible work schedules. To keep pace with growing workplace demands, buildings are becoming more dynamic – capable of adapting to how people move, work, and interact in real-time. Read Now

  • Trends Keeping an Eye on Business Decisions

    Today, AI continues to transform the way data is used to make important business decisions. AI and the cloud together are redefining how video surveillance systems are being used to simulate human intelligence by combining data analysis, prediction, and process automation with minimal human intervention. Many organizations are upgrading their surveillance systems to reap the benefits of technologies like AI and cloud applications. Read Now

  • The Future is Happening Outside the Cloud

    For years, the cloud has captivated the physical security industry. And for good reason. Remote access, elastic scalability and simplified maintenance reshaped how we think about deploying and managing systems. But as the number of cameras grows and resolutions push from HD to 4K and beyond, the cloud’s limits are becoming unavoidable. Bandwidth bottlenecks. Latency lags. Rising storage costs. These are not abstract concerns. Read Now

Most   Popular

New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.