How cyber savvy is your security supplier?
The melding of IT and physical security has reaped many benefits for the security industry and its end users, making systems faster, smarter and easier to manage.
However, the downside has been the real and perceived vulnerability that comes with network-based systems.
Because of a perceived weakness in the industry, security products are often a target for security researchers, but they are rarely the end target for a real cyber attack. Cybercriminals want to make money. State sponsored attackers want to cause damage or steal information, and the “hacktivists” are trying to make a statement. So even if a malicious person could play with your locks or watch your video feeds, that gets boring pretty quickly.
What an attacker really wants to do is get to something useful, something valuable, and security products can provide the access.
When building security systems for clients including small stores, school systems or even government agencies, it becomes critical to understand how the cameras, video management systems and other components fit in within those network architectures, without introducing new vulnerabilities.
So where to begin? How do you ensure your security products are not the weakest link to your network? Why not start by asking your suppliers a few crucial questions about the cybersecurity readiness of their products.
Start with the obvious: How is security built into your products?
You wouldn’t want a camera where the image quality was the last thing that the engineers considered during development. The same is true for the security of the products that make up any IP-based system. When security is not a consideration from the start of the process, through the final stages of its creation, it can result in a product that becomes impossible to secure at deployment.
Secure development for any product starts with a risk assessment with a key focus on confidentiality, integrity and availability. When applied to security products at a very basic level, this means:
- Confidential information out of the hands of those to whom it does not belong. Consider if a camera requires authentication to view the video. There are websites dedicated to showing the live feeds of security cameras that don’t require a password
- Keeping the integrity of information is especially important in relation to access control systems where allowing changes to the database could allow an attacker physical access to the building
- Making sure the product is available and continues to function is probably the most important factor for security products. While DoS (denial of service) attacks are headline grabbing, availability is most often compromised because of functional errors in the product. Consider the impact of an intrusion system that fails to detect a sensor going offline or an access control system that cannot operate during a network or power failure.
These are the types of security considerations that should be an integral part in the development of the products that are being offered by security suppliers.
A challenge for all product manufacturers is how to reconcile ease of use with supplying an appropriate level of security.
Considering security suppliers
A key selling point for many security products today is that they are easy and fast to install, saving the integrator and the end user valuable time and expense. However, if the trade-off is a lack of authentication or encryption, system vulnerabilities creep in. Additionally, while it would be great if everyone wanted the same level of security and was willing to undergo the additional steps for higher security features (such as requiring complex passwords), the reality is that not all users are fully invested in it and what works for some will not work for others.
Consider products that provide some flexibility in the installation. For example, allowing for the integrator an easy set up process, with the ability to enhance the security of the product before handing it over to the end user. Features like enforcing complex passwords after the initial installation help secure the product without increasing installation time.
Cybersecurity immediately brings to mind threats from malicious external players, but there is always a risk from internal threats as well. A Ponemon Institute study showed that “malicious insiders” were the most expensive when weighted by attack frequency and were the longest attack type to resolve. To help protect against this, it’s important to seek products that can be set up with controls that separate responsibilities for individual users.
For example, a security officer at the front desk should be given privileges for the cameras that are necessary to do his/her job rather than allowing him/her access to all of the cameras or the entire video management system. Configuring user privileges can be complex, but is an essential part of any computer system. Systems that are able to connect to a central access control management system like Microsoft Active Directory make installation and management of large systems easier and more reliable.
Of course, cybersecurity is not static. Every day new vulnerabilities and exploits are uncovered. This raises the question: What is the product manufacturer doing on an ongoing basis to address these?
A successful product cyber-response plan requires a dedicated team with the capabilities to assess and mitigate issues when they arise. When executed properly, the team should be able to respond the same day with an assessment and mitigation plan.
A security weakness in a product can be devastating, so both speed and quality of the responses are critical factors to consider when selecting a supplier. Ask for examples.
Finally, ask about third-party assessments. Does the company undergo independent assessments of its products? More importantly (and often forgotten), do they then take the proper steps to resolve the issues found? Getting a third-party assessment is easy. Fixing the issues requires responsibility that you need in a supplier to ensure ongoing success.
Cybersecurity threats are ongoing and ever changing, but by being vigilant and seeking suppliers and products that can meet your installation’s needs, you can present to a client a system that will stand up to cybersecurity threats today and tomorrow.
William L. Brown Jr.
Senior Engineering Manager of Regulatory & Product Security, Tyco Security Products