Accessing cyber security

Access & Identity Management Handbook 2017 Editor's Choice, Access Control & Identity Management, Information Security, Security Services & Risk Management

As if the job of specifying, installing and maintaining physical security products is not hard enough, recent news reports have shown that many of these devices – mainly cameras and DVRs at the moment – are being used in botnets. These are networks of devices, which can be anything from computers to cameras (or any electronic devices) that have not been properly secured and as a result are infected with malware.

This malware normally sits on the device and doesn’t cause any trouble until the owner, or those renting the botnet from the owner, decide to target a company or person. Then, all the devices work together to carry out their attack plans. A recent example can be seen at www.krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos.

While access and identity devices are not known to be involved in already identified botnets in any number, it stands to reason that network connected devices, especially Internet-connected devices, form part of the global Internet of Things (IoT) network. As such, they can be used for cyber attacks either on the company using them, or on third parties. Access control has been a slow learner when it comes to moving to IP, but the move has started and there is no stopping it.

The traditional physical security approach to cyber security is to ignore it as the whole cyber issue is seen as an IT problem and left to the people who manage servers and data centres. As everything in the access world moves to IP and being connected, this is no longer an acceptable approach.

Of course, security of any sort is never one person or department’s responsibility (although many try to make it so). It takes collaboration across the board, from manufacturers to installers and end users to make security work.

Tyco Security Products is taking a proactive role in securing its range of physical security products by developing its Cyber Protection Programme. Jeffrey Barkely, product manager at Tyco Security Products, spoke to Hi-Tech Security Solutions and explained that the multifaceted programme is focused on delivering a holistic approach to cyber security awareness, covering all the bases from the manufacturer to the end-user.

The idea is to reduce the risk of cyber crime happening to end-users by minimising the potential for the introduction of vulnerabilities into products, as well as resolving issues as fast as possible when they do arise. To date, Barkley says Software House access control solutions, American Dynamics video management systems and Illustra IP cameras are all on board, with further products from the group in the pipeline.

Six-step programme

The Cyber Security Programme has been divided into six parts. This is to ensure that the programme covers all the aspects of security, not simply covering certain components of the solution while ignoring others.

1. Secure product development practices

Tyco trains its developers and engineers to code and test their products securely throughout the development cycle. It has also launched a Cyber Protection Team, an independent branch of the development team with the authority and responsibility to manage the development process and final product release. This team is tasked with monitoring compliance according to the company’s ‘secure development best practices’.

2. Inclusive protection of components and systems

This step is to ensure that all components of a solution are tested and verified before reaching the customer. Some of the steps in the process include end-to-end encryption, encrypted database communications, system auditing, alerting and management, and denial of service attack protection.

3. Configuration guidelines for compliance

Taking the process beyond the development stage, the team also provides integrators and installers with documentation to assist them in installing systems securely, and to comply with various standards and regulations. For example, Tyco uses the Risk Management Framework from NIST 800-53 – ‘Security and Privacy Controls for Federal Information Systems and Organizations’ – to help users configure access control and video systems that require a high level of compliance.

4. Ongoing rigorous testing

The Cyber Protection team continues testing products against known and new vulnerabilities to ensure properly installed solutions remain as secure as possible. This testing also applies to software updates and new configurations. Moreover, third parties are also employed to conduct independent tests on the products to verify their security status and compliance.

5. Rapid response to vulnerabilities

Since vulnerabilities are being discovered every day – or so it seems – the Cyber Security team is continually on the lookout for new threats. The team consists of engineers from product security, development, quality and tech support. They evaluate each threat and decide if it can be dealt with in the next upgrade process or if they need to send out a hotfix as soon as possible.

Barkley notes that recently the team was able to develop, test and release patches for critical vulnerabilities such as Heartbleed (en.wikipedia.org/wiki/Heartbleed) and Shellshock (en.wikipedia.org/wiki/Shellshock_(software_bug)) in just two weeks.

6. Advocate and educate

The sixth step of the programme is the education of partners and customers regarding the necessity of securing their infrastructure. This includes training and development certifications, and the team also travels globally advocating for the rigorous protection of all security systems.

As noted above, security requires buy-in from all parties and the Cyber

Security Programme from Tyco covers all the bases, from the product manufacturers through to the end-users. As many integrators will testify, the end-users are probably the most important link in this chain as they are often the ones who opt for the cheapest solution that is almost guaranteed to be insecure – although no company would say that publically. Hopefully, the training and advocacy Tyco is involved with will be echoed throughout the physical security industry and both users and integrators will come to understand the importance of effective security, even if it’s only in the interest of self-preservation.

For more on the programme, please see http://www.tycosecurityproducts.com/pdf/cyber_protection/Cyber_Protection_Program_eBook_REVE.pdf (short URL: securitysa.com/*tyco1)

For more information contact Tyco Security Products, +27 (0)82 566 5274, emallett@tycoint.com, www.tycosecurityproducts.com.



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Echoes of 2018? Follow-up on Woolworths explosions
Technews Publishing News & Events Security Services & Risk Management Retail (Industry) Facilities & Building Management
SMART Security Solutions follows up with Jimmy Roodt to find out more about an old connection to the Woolworths bombings from 2018. The investigation remains ongoing.

Read more...
Next-generation cash-in-transit vehicle
News & Events Security Services & Risk Management
Fidelity Services Group has unveiled a new, purpose-engineered Cash-in-Transit (CIT) vehicle designed to redefine crew protection, deter threats, and enhance operational resilience in an increasingly complex criminal environment.

Read more...
Sophos establishes South African legal entity to strengthen local operations
News & Events Information Security
Global cybersecurity company, Sophos, has announced the formation of its local legal entity, which will support local invoicing, partner enablement, compliance requirements and expanded regional investment.

Read more...
AURA partners with Discovery to launch Discovery 911
News & Events Security Services & Risk Management
AURA has announced a partnership with Discovery Insure to power the security-response component of its new Discovery 911 virtual panic-button offering, which is available through the Discovery Insure app.

Read more...
71% of organisations suffered an identity breach
News & Events Information Security
The State of Identity Security 2026 report from Sophos finds human error and poor non-human identity management are the root causes of most attacks, as agentic AI accelerates the risk.

Read more...
Global security in 2026
Editor's Choice News & Events Security Services & Risk Management Industrial (Industry) Mining (Industry)
The World Security Report 2026 states: “In a world of increasing volatility, physical security has evolved. It is no longer just a defensive measure; it is a critical driver of corporate value.”

Read more...
Who is to blame for autonomous mistakes?
Editor's Choice Security Services & Risk Management Industrial (Industry) Mining (Industry)
Most supply agreements for AI-integrated equipment still closely resemble plant hire contracts from ten years ago: bilateral, human-focused, and silent on who bears the risk when a machine makes a decision on its own.

Read more...
Cyber resilience is the real defence
Security Services & Risk Management Information Security Infrastructure
Cyber resilience has evolved into a form of strategic agility, ensuring that when an interruption occurs, the business does not just survive; it snaps back into place before the market even notices a pause.

Read more...
Beyond the checkpoint
Veracitech Editor's Choice
For decades, mining corporations have treated employee screening as a necessary friction point, an operational cost to be managed rather than a strategic capability to be optimised. A new generation of full-body X-ray technology, purpose-built for the realities of high-throughput precious-metals environments, is beginning to change that calculus.

Read more...
Persistent surveillance with rapid deployment
Editor's Choice
Sky Robots has introduced an aerial drone system designed to operate as a consistent layer within security environments, addressing long-standing challenges around visibility and response across large or complex sites.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.