Dispelling the Myths

Dispelling the Myths

Bad practices still in use that put people and assets at risk

  • By Will Knehr
  • Sep 19, 2022

We hear the term “best practices” a lot, but the truth is, there are still plenty of bad practices in use that put people and assets at risk every day. Many of those bad practices are grounded in one or more of the following myths that commonly lure people and organizations into a false sense of security. Don’t let these myths be responsible for a breach or an attack via edge devices. Here are five common myths that deserve to be busted once and for all.

1. Micro-segmentation alleviates risk. This myth is based on the opinion that “if I create a security system network that is segmented from the operational network, then the devices in this segment are not at risk. No one can access these devices on my network.”

While segmenting the security network from the operational network is a good practice, it is far from a bulletproof cyber security strategy. Back in the early days of the analog to IP transition, a systems integrator (SI) would use segmentation as a way to appease IT departments. DVRs commonly had two network interface cards, one for the device network and one for the operational network, so IT departments felt confident in only having to monitor two connections.

Unsurprisingly, this became a best practice for decades. In truth, it is easy to improperly create a segmented network that exposes backdoors. As more operational technology and industrial IoT gets connected, it’s clear that the internet is far from the only attack vector. There are plenty of insider threats to consider along with innocent mistakes when users, just trying to get something to work, assume that if it has Wi-Fi or an Ethernet jack they can just plug it in.

Take any of the above and sprinkle it with a “set it and forget it” mentality, it becomes paramount to go beyond simply segmenting a network to be truly secure.
 
2. Life cycle management. If it’s is not broken, then don't fix it. It can be a tough one to crack for many organizations. Unfortunately, “if it’s not broken, then don’t fix it” typically leads to a “we don’t need to update the firmware” mindset. This myth also encompasses a “products don’t need to be cycled out if they are still working” sentiment.

Without robust life cycle management of security devices, exploits and backdoors that hackers expose only increase the vulnerability of these devices over time. A critical part of any cyber secure implementation is ensuring devices are updated with the latest firmware so that any known weak points are patched. It is the manufacturers’ responsibility to keep their devices secure, but it’s also the integrators’ responsibility to keep systems they support up to date.

Finally, no life cycle management would be complete without a strategy for changing out end-of-life or end-of-support devices. In either case, just because it is still running is not a reason to leave it on the network.
 
3. Identity management. One admin account is fine for all. This myth is more commonly believed than you might think. The thought is that one admin account can be used across an SI or end user’s entire installed base. The thinking seems to be that such an account is secure because it’s not with the end user or at least not with day-to-day users.

Like everything else, usernames and passwords must be properly managed. A best practice is to create multiple usernames and passwords so that the VMS connects with one username/password combination, the IT department has another, and the contracted maintenance techs have their own too. This helps a device log discern if something has changed or happened and which account was involved. Sadly, in the security industry this rarely happens.

It is typically one admin account for all devices which is not adequate. Admin privileges should only be reserved for those who understand network security management. We’ve even seen the same username and password used for every account that an SI services. In this case, the SI believed this made it secure since it was “their” password (used across hundreds of sites) and not the end users.

As privacy concerns arise, it is also important to demonstrate that not everyone has the same privileges to view security footage. The principle of least privilege states that a subject should only be given those privileges required to complete its task. As an example, privacy masking at the edge is a popular way to blur faces captured on security cameras. Only certain senior-level users or admins should have the privileges required to expose identities or view certain streams as part of a documented event. This demonstrates accountability within operations and security departments and goes a long way towards building good will.

4. No one can use an end-point device as an attack vector. It can be hard to imagine, with so many attack vectors out there (malware, ransomware, phishing, and compromised or weak credentials), that a network camera would be a legitimate target that hackers would seek out. In fact, the exponential growth of IoT devices on corporate networks has made end-point devices a major target for bad individuals both inside and outside of a company.

Not long ago, a major manufacturer suffered a Distributed Denial of Service (DDOS) attack that was waged in part from another company’s unsecured cameras that were co-opted by a botnet. The vulnerability of those cameras had been previously detected, and the camera manufacturer had issued a firmware patch to address the weak point, but unfortunately, it had not been applied.

When it comes to ensuring cyber security for end-point devices, everyone shares some of the responsibility. The manufacturer must ensure that their device is properly designed to thwart attempts to gain access to the camera or its accompanying network infrastructure. If a vulnerability is discovered, it is the manufacturer’s responsibility to address the situation, issue an update that remedies the problem and notify their suppliers and partners.

Once such an update is available, it’s the responsibility of the reseller or integrator to notify end users that the update is available and ensure that it is installed. This is also why it’s so important to have a service contract in place that provides continual maintenance and updates. The end user is also responsible for making sure their devices are regularly inspected and adheres to any regulations or best practices that their industry requires.

5. Data in the cloud is safe and secure. This popular myth is based on the belief that when utilizing a cloud-based security system, it is solely the cloud provider’s responsibility to ensure everything is cyber secure. While it is true that the cloud provider is responsible for the security of their datacenter, the access to media on the cloud is still in the domain of the user.

Not long ago, a cloud-based security provider suffered a major breach because super admin-level credentials were widely shared by more than 100 employees. Those credentials ended up online, which let hackers have access to more than 150,000 cameras. The best things about the cloud (scale) can also be the worst things about the cloud when things go wrong. So, it is paramount to choose a cloud provider with a proven track record of cyber security that uses best practices for how data is accessed.

Cloud vendors can vary widely regarding the levels of protection offered. It is critical to conduct due diligence and understand what your service level agreement (SLA) is with a cloud provider. There are different SLAs for different types of clouds. For example, if you're using a cloud provider just as a container, then typically you're responsible for all of the security.

It is advisable to perform a security-focused vendor assessment, such as the one created by the National Institute of Standards and Technology (NIST), prior to signing up with a cloud provider. Are they Criminal Justice Information Service (CJIS) or System and Organization Controls (SOC) compliant? How do they vet their employees? How do you ensure that your data isn’t mixed with other people’s data? How do they manage access control so that only the authorized people have access to your content?

Many verticals have their own methods for vendor assessment such as HECVAT for education and HITRUST for health care. If you’re in a regulated environment, you need to ensure that whatever design implementation, policy or process that you are required to adhere to is represented in the cloud workflow you adopt.

There are plenty of myths and long-held beliefs in our industry about how to best protect security systems and network infrastructure. Some of these may have represented adequate protection years ago, but as we all know, technology evolves quickly, and with it, so do the tools and techniques designed to take advantage and exploit any perceived weaknesses.

In our rush to make things work and move onto the next task, it can be tempting to take shortcuts and calculated risks that may seem unlikely to result in a serious event. We’ve also heard from people that no one could possibly care about these mundane video feeds — until they are forced to — when a company’s intellectual property is compromised, or someone uses an unprotected device to inject malware and ransomware that brings an organization to its knees.

With everything you do to help protect people and assets, don’t toss it down the drain by relying on outdated information. Make it a priority to stay on top of the basics of cyber security.

This article originally appeared in the September / October 2022 issue of Security Today.

Featured

  • From Surveillance to Intelligence

    Years ago, it would have been significantly more expensive to run an analytic like that — requiring a custom-built solution with burdensome infrastructure demands — but modern edge devices have made it accessible to everyone. It also saves time, which is a critical factor if a missing child is involved. Video compression technology has played a critical role as well. Over the years, significant advancements have been made in video coding standards — including H.263, MPEG formats, and H.264—alongside compression optimization technologies developed by IP video manufacturers to improve efficiency without sacrificing quality. The open-source AV1 codec developed by the Alliance for Open Media—a consortium including Google, Netflix, Microsoft, Amazon and others — is already the preferred decoder for cloud-based applications, and is quickly becoming the standard for video compression of all types. Read Now

  • Cost: Reactive vs. Proactive Security

    Security breaches often happen despite the availability of tools to prevent them. To combat this problem, the industry is shifting from reactive correction to proactive protection. This article will examine why so many security leaders have realized they must “lead before the breach” – not after. Read Now

  • Achieving Clear Audio

    In today’s ever-changing world of security and risk management, effective communication via an intercom and door entry communication system is a critical communication tool to keep a facility’s staff, visitors and vendors safe. Read Now

  • Beyond Apps: Access Control for Today’s Residents

    The modern resident lives in an app-saturated world. From banking to grocery delivery, fitness tracking to ridesharing, nearly every service demands another download. But when it comes to accessing the place you live, most people do not want to clutter their phone with yet another app, especially if its only purpose is to open a door. Read Now

  • Survey: 48 Percent of Worshippers Feel Less Safe Attending In-Person Services

    Almost half (48%) of those who attend religious services say they feel less safe attending in-person due to rising acts of violence at places of worship. In fact, 39% report these safety concerns have led them to change how often they attend in-person services, according to new research from Verkada conducted online by The Harris Poll among 1,123 U.S. adults who attend a religious service or event at least once a month. Read Now

Most   Popular

New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.