Top 5 Cybersecurity Strategies Integrators Need to Learn

  • By Evan Stuckless
  • Apr 20, 2020

As cyberthreats to video surveillance systems continue to increase, there is high demand from end-users for the channel to be knowledgeable and prepared to mitigate cybersecurity risks. Ongoing education is critical for both security and IT employees, preparing them to work together as cybersecurity experts.

According to a 2019 McKinsey report on transforming cybersecurity, responding to cyberthreats requires comprehensive and collaborative efforts between the security and IT teams. Traditionally, many companies distinguish between physical and information security, between information technology and operational technology, and between in-house and external security. In the digital age, these splits are obsolete. Scattered and fragmented responsibility can put the entire organization at risk.

Here are the top five most effective cybersecurity strategies to focus on when training the channel to combat cyberattacks:

1. Isolate the device network from other networks

The tiered system architecture of a video management system (VMS) makes it possible to separate the device network and the core server/client network. The device network is where cameras, microphones, speakers, I/O devices and other supported IP devices are located. With the recording server as a connection point between the device and the client networks, there is no direct routing between the two network segments. This means that a cyberattack on either network will not spread to—or outside of—the device network.

Isolating the device network is perhaps the single most important security configuration measure. For example, a small school may use a flat network configuration where the recording server and management server are both connected to the device network. The recording server communicates with the devices. In addition, the rest of the school's computers may be connected to the same network. Staff members log into the VMS from their workstations when needed.

There is nothing wrong with a flat network configuration from a technical perspective, but it's not good for security. In this example, the computer labs and staff computers have direct access to cameras. If a malicious user has device access, it doesn't matter how good the protections are elsewhere. Optimally, only the recording servers should have access to the cameras. The simplest fix is to isolate the device network by using a second network interface on the recording server.

In addition to isolating the device network, all devices should use strong, non-default passwords to mitigate other potential issues.

2. Educate employees about security threats

Education and awareness are critical in teaching employees how to identify and counteract a variety of cyberthreats. Consider establishing cybersecurity awareness training that covers gaps in protection that many organizations must mitigate, including human, technological and physical vulnerabilities.

Malicious individuals often resort to social engineering because they find that human targets are the easiest to exploit and the rewards are the greatest. Social engineering is a set of tactics that attackers use to get valuable information from another person. This can be done in a variety of ways, but all rely on people’s natural tendency to be polite and trust one another. Often the victim has no idea that there is even a threat.

For example, spam and phishing e-mails try to trick users into clicking a link or opening an attachment that will actually install malware. Tailgating refers to a situation where an outsider enters a building behind an authorized employee, before the door closes. Baiting is when a USB drive or other storage medium is intentionally left behind in the hope that a company employee will insert it into their computer and execute malware. This could also include other items, like gifts that have microphones or other surveillance equipment embedded.

Attackers commonly call internal technical support pretending to be a person of high status, or otherwise give a sense of urgency and credibility. For example, the caller might request a password reset because of an urgent need to access a system. The technical support representative may feel pressured because of the high status of the caller, and make an exception and change the password over the phone.

Cybersecurity training prepares employees to learn how to handle social engineering situations with a healthy level of skepticism, to harden VMS and IT systems, and to protect physical assets like server rooms and cameras.

3. Use Active Directory for user and computer management

Active Directory (AD) is a centralized user management system that authenticates and authorizes users and computers in a domain. It also assigns and enforces group policies for all computers, including security settings.

User management is an important aspect in cybersecurity. Without a central user database, multiple user accounts on different systems can be difficult and time consuming to manage. By using a centralized system like AD, users can be added and deleted in just one place, and the change is applied across the entire system. This stops former employees and contractors from regaining access to systems where it wasn’t revoked due to a simple human error. AD's centralized structure simplifies many IT tasks, minimizing mistakes that occur in a decentralized set up.

Other benefits include user authentication in AD, which has built-in protections against common cyberattacks. Group Policy can manage many everyday IT security tasks like password policy and computer security settings. Kerberos authentication adds another level of security in verifying the identity of a user or host.

4. Enable encryption at every stage necessary

One of the most important security improvements seen both on the web and the VMS space over the last several years is encryption. When the data is sensitive and there is a chance for unauthorized access either by eavesdropping on network traffic or accessing stored data, encryption is the right tool to protect it.

As a rule of thumb, device data flows through multiple steps. First it is received over the network by a recording server. Then it may or may not be recorded on disk depending on the system configuration. Client applications request live or recorded data on demand. Finally, if deemed necessary, the data may be exported and handed over to authorities. All of these stages pose cybersecurity risks as well as privacy risks for the subjects in the data. Using encryption in every stage avoids unauthorized access.

Attackers can intercept data with techniques like port mirroring or ARP spoofing. Encryption prevents hackers from being able to read the data content, even if they were able to intercept it. Web servers, virtual private networks (VPNs) and other technologies commonly use transport layer security (TLS) as a method to encrypt data in transit through the network.

5. Control network traffic by segmenting VMS, client and business networks

Network segmentation is an effective but often overlooked security measure. Different networks can be separated from each other by a firewall appliance, or by total isolation through a physically separated switching infrastructure for different systems. In the VMS industry, total isolation of networks is often the standard approach. This eliminates all kinds of threats originating from other networks.

More commonly, however, the networks are separated using a firewall appliance and virtual local area networks (VLANs). This approach makes it more difficult for attackers to move from one network to another if they gain access. It also improves network management by concentrating firewall rules in one place.

Many organizations already have a central firewall/router network appliance. Usually it handles traffic to and from the internet. That same equipment also can handle several internal networks, so different types of systems can be segmented into their own networks.

Continuing the previous example of a small school network, the device network is now isolated from other networks, but everything else is still on the same segment, including the VMS, school staff systems and student computer labs. That's not the best scenario. To improve network security, one VLAN should be created for the VMS and another for the school staff. Most importantly, students should be set up in their own VLAN without access to the staff or VMS networks. The school’s firewall appliance will handle routing between the VLANs. Using a firewall appliance to handle traffic between network segments allows complete control.

Trained and Cybersecurity Ready

By understanding human vulnerabilities to cyberattacks as well as network and device risks, the channel can effectively learn how to mitigate increasingly volatile cyberthreats.

Featured

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services

  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

Most   Popular

New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.