Accessing cyber security

Access & Identity Management Handbook 2017 Editor's Choice, Access Control & Identity Management, Information Security, Security Services & Risk Management

As if the job of specifying, installing and maintaining physical security products is not hard enough, recent news reports have shown that many of these devices – mainly cameras and DVRs at the moment – are being used in botnets. These are networks of devices, which can be anything from computers to cameras (or any electronic devices) that have not been properly secured and as a result are infected with malware.

This malware normally sits on the device and doesn’t cause any trouble until the owner, or those renting the botnet from the owner, decide to target a company or person. Then, all the devices work together to carry out their attack plans. A recent example can be seen at www.krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos.

While access and identity devices are not known to be involved in already identified botnets in any number, it stands to reason that network connected devices, especially Internet-connected devices, form part of the global Internet of Things (IoT) network. As such, they can be used for cyber attacks either on the company using them, or on third parties. Access control has been a slow learner when it comes to moving to IP, but the move has started and there is no stopping it.

The traditional physical security approach to cyber security is to ignore it as the whole cyber issue is seen as an IT problem and left to the people who manage servers and data centres. As everything in the access world moves to IP and being connected, this is no longer an acceptable approach.

Of course, security of any sort is never one person or department’s responsibility (although many try to make it so). It takes collaboration across the board, from manufacturers to installers and end users to make security work.

Tyco Security Products is taking a proactive role in securing its range of physical security products by developing its Cyber Protection Programme. Jeffrey Barkely, product manager at Tyco Security Products, spoke to Hi-Tech Security Solutions and explained that the multifaceted programme is focused on delivering a holistic approach to cyber security awareness, covering all the bases from the manufacturer to the end-user.

The idea is to reduce the risk of cyber crime happening to end-users by minimising the potential for the introduction of vulnerabilities into products, as well as resolving issues as fast as possible when they do arise. To date, Barkley says Software House access control solutions, American Dynamics video management systems and Illustra IP cameras are all on board, with further products from the group in the pipeline.

Six-step programme

The Cyber Security Programme has been divided into six parts. This is to ensure that the programme covers all the aspects of security, not simply covering certain components of the solution while ignoring others.

1. Secure product development practices

Tyco trains its developers and engineers to code and test their products securely throughout the development cycle. It has also launched a Cyber Protection Team, an independent branch of the development team with the authority and responsibility to manage the development process and final product release. This team is tasked with monitoring compliance according to the company’s ‘secure development best practices’.

2. Inclusive protection of components and systems

This step is to ensure that all components of a solution are tested and verified before reaching the customer. Some of the steps in the process include end-to-end encryption, encrypted database communications, system auditing, alerting and management, and denial of service attack protection.

3. Configuration guidelines for compliance

Taking the process beyond the development stage, the team also provides integrators and installers with documentation to assist them in installing systems securely, and to comply with various standards and regulations. For example, Tyco uses the Risk Management Framework from NIST 800-53 – ‘Security and Privacy Controls for Federal Information Systems and Organizations’ – to help users configure access control and video systems that require a high level of compliance.

4. Ongoing rigorous testing

The Cyber Protection team continues testing products against known and new vulnerabilities to ensure properly installed solutions remain as secure as possible. This testing also applies to software updates and new configurations. Moreover, third parties are also employed to conduct independent tests on the products to verify their security status and compliance.

5. Rapid response to vulnerabilities

Since vulnerabilities are being discovered every day – or so it seems – the Cyber Security team is continually on the lookout for new threats. The team consists of engineers from product security, development, quality and tech support. They evaluate each threat and decide if it can be dealt with in the next upgrade process or if they need to send out a hotfix as soon as possible.

Barkley notes that recently the team was able to develop, test and release patches for critical vulnerabilities such as Heartbleed (en.wikipedia.org/wiki/Heartbleed) and Shellshock (en.wikipedia.org/wiki/Shellshock_(software_bug)) in just two weeks.

6. Advocate and educate

The sixth step of the programme is the education of partners and customers regarding the necessity of securing their infrastructure. This includes training and development certifications, and the team also travels globally advocating for the rigorous protection of all security systems.

As noted above, security requires buy-in from all parties and the Cyber

Security Programme from Tyco covers all the bases, from the product manufacturers through to the end-users. As many integrators will testify, the end-users are probably the most important link in this chain as they are often the ones who opt for the cheapest solution that is almost guaranteed to be insecure – although no company would say that publically. Hopefully, the training and advocacy Tyco is involved with will be echoed throughout the physical security industry and both users and integrators will come to understand the importance of effective security, even if it’s only in the interest of self-preservation.

For more on the programme, please see http://www.tycosecurityproducts.com/pdf/cyber_protection/Cyber_Protection_Program_eBook_REVE.pdf (short URL: securitysa.com/*tyco1)

For more information contact Tyco Security Products, +27 (0)82 566 5274, [email protected], www.tycosecurityproducts.com.



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Local manufacturing is still on the rise
Hissco Editor's Choice News & Events Security Services & Risk Management
HISSCO International, Africa's largest manufacturer of security X-ray products, has recently secured a multi-continental contract to supply over 55 baggage X-ray screening systems in 10 countries.

Read more...
NEC XON shares lessons learned from ransomware attacks
NEC XON Editor's Choice Information Security
NEC XON has handled many ransomware attacks. We've distilled key insights and listed them in this article to better equip companies and individuals for scenarios like this, which many will say are an inevitable reality in today’s environment.

Read more...
Gallagher Security launches Augmented Reality Training in Australia
Gallagher Training & Education Access Control & Identity Management
Gallagher Security has announced the latest addition to its innovative suite of training solutions, Augmented Reality Training, demonstrating its continued commitment to innovation and improving access to security training opportunities.

Read more...
Detecting humans within vehicles without opening the doors
Flow Systems News & Events Security Services & Risk Management
Flow Systems has introduced its new product, which detects humans trying to hide within a vehicle, truck, or container. Vehicles will be searched once they have stopped before one of Flow Systems' access control boom barriers.

Read more...
Fluss launches the next wave of IoT solutions
IoT & Automation Access Control & Identity Management News & Events
Fluss has announced its newest IoT product; Fluss+ continues to allow users to manage access from anywhere globally and brings with it all the advantages of Wi-Fi connectivity.

Read more...
Cybercriminals embracing AI
Information Security Security Services & Risk Management
Organisations of all sizes are exploring how artificial intelligence (AI) and generative AI, in particular, can benefit their businesses. While they are still figuring out how best to use AI, cybercriminals have fully embraced it.

Read more...
The future of digital identity in South Africa
Editor's Choice Access Control & Identity Management
When it comes to accessing essential services, such as national medical care, grants and the ability to vote in elections to shape national policy, a valid identity document is critical.

Read more...
Do you need a virtual CIO?
Editor's Choice News & Events Infrastructure
If you have a CIO, rest assured that your competitors have noticed and will come knocking on their door sooner or later. A Virtual CIO service is a compelling solution for businesses navigating tough economic conditions.

Read more...
AI-enabled tools reducing time to value and enhancing application security
Editor's Choice
Next-generation AI tools are adding new layers of intelligent testing, audit, security, and assurance to the application development lifecycle, reducing risk, and improving time to value while augmenting the overall security posture.

Read more...
Perspectives on personal care monitoring and smart surveillance
Leaderware Editor's Choice Surveillance Smart Home Automation IoT & Automation
Dr Craig Donald believes smart surveillance offers a range of options for monitoring loved ones, but making the right choice is not always as simple as selecting the latest technology.

Read more...