classic | mobile
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn

Hi-Tech Security Solutions Business Directory
Residential Estate Security Handbook 2018

The cybersecurity of physical ­security
April 2018, This Week's Editor's Pick, Cyber Security

By now we all know of the dangers of cyber-attacks being launched through security devices that have been installed without the proper planning and cybersecurity precautions. The Mirai botnet attack was only one example of how hundreds of surveillance products (DVRs and cameras) could be used as part of a botnet to launch global distributed denial of service (DDOS) attacks on premium Internet properties.

Roger Truebody.
Roger Truebody.

Being aware of the dangers is one thing, but actually knowing what you need to look out for and do to secure your surveillance infrastructure, is quite another. And securing it is a must. Roger Truebody has often demonstrated to clients the simplicity with which a surveillance (or security) infrastructure can be hacked if not protected.

The issue is not about losing control of your cameras or losing video footage, although that is a serious consequence in high-security installations, even if the organisation has set up a separate network for surveillance there will almost always be a connection between the corporate and security infrastructure. The security breach will allow the hackers to worm their way into any part of the network and inflict damage or steal sensitive information or money.

Any weak link in the security infrastructure will be enough to allow them a foot in the door, and that is all they require. This is not a risk exclusive to security products, however, any IP-based device in the industrial control field can be the weak link that provides access to those with bad intentions.

The answer, Truebody says, is start your planning like you would in any other risk management scenario with good governance and making sure you have a clear view of what you want to accomplish. Your people, processes and technology (PPT) is the starting point.

Starting with an assessment

When starting with a risk assessment, you need to determine and illustrate all the risks you may face and the impact they could have on the physical security infrastructure as well as further into the organisation. As an example, Truebody says that hacking the cameras watching the platform at a train station may not be the highest security risk, but hacking the cameras of a cash centre would carry a significant risk.

“The impact of the risk drives the controls, reactions and budget assigned to mitigation,” he says. The awareness of what could happen and what mitigation processes are required are even more important as selecting the right technology for the job. Although, organisations need to be sure the technology they specify can meet their requirements effectively, across the board and in whatever situation risks manifest in.

Whether they run proof of concepts, shoot-outs or investigate other organisations that have made use of the same solutions, buying technology is not a matter of getting the best deal, but of getting the technology you know, will do the job. And he is referring to all technology, not only surveillance and security-related systems, but also the IT infrastructure, which includes your switches, servers, storage, and so on.

Truebody is also in favour of much more collaboration between the owners of the IT network and the physical security or camera network. Currently, the camera network in an enterprise is probably covered by the IT security policy – one hopes. However, this is where the collaboration normally ends and if the camera network is breached, the physical security guys will probably not know about it. More importantly, the IT network is now also at risk of attack from a supposedly trusted source.

Organisations therefore need to set accountability rules for both networks, setting clear rules of who is accountable for what, and how the networks are planned, implemented and managed. This also applies to organisations that keep both networks independent of each other; all hackers need is one weak point.

The people aspect must also be considered. You need to understand people and their motivations in order to get your employees on board the cyber defence wagon. As it become more difficult to break into systems, the insider is becoming a more valuable target for criminals. Employees need to understand about not clicking on random files they receive and how irresponsible online practices can be turned against them and their organisations. More companies are training employees to ­recognise this, but also adding punitive measures to their contracts if they do not apply their learning.

Then there is also the insider threat of employees who are working for syndicates, either willingly or unwillingly, and the damage they can cause. Visibility and accountability is key here. By this, Truebody means the network must be set up in such a manner that everybody knows that what they do on the network is recorded. Everyone has the freedom to do what they are

authorised to do, but they need to know that if something untoward happens they will be identified and be held accountable.

In areas of higher risk, employee screening should also be done pre- and potentially post-employment. The nature of the risk will determine the level of screening that is required.

Basic procedures

In addition to the above, Truebody is also a believer in ‘basic cyber hygiene’ as the foundation to ensuring your physical security infrastructure is as secure as it can be. Some of the issues to consider are:

• Aligning the security policies with your IT department’s security policies. Make use of IT’s experience in this regard and collaborate with them.

• Make sure you use strong passwords. Length of passwords is important, it takes only 15 minutes to crack a 4-character password.

• Keep your asset register up to date. Know what you have and when it was last patched.

• Keep access to the physical security network controlled. For example, nobody should be able to use an unauthorised USB device anywhere on the network.

• Ongoing maintenance is critical. This does not refer to software patches only, but actual physical maintenance that has someone looking at everything from the cameras to the access control readers to the network cables and switches etc.

• If you use remote monitoring, either an in-house service or from a third-party, conduct penetration testing from time to time to determine where the weak links are. Security is an end-to-end function; one weakness anywhere on the network is all the criminal needs.

In today’s digital world, it seems unlikely that any system will be 100% secure. However, by addressing the cyber risks from a PPT approach allows organisations to have a level of assurance that they have covered their bases and done what they can to secure their systems. Truebody concludes: “Make sure the fence is properly built before you start looking for holes.”

  Share via Twitter   Share via LinkedIn      

Further reading:

  • Trust but continually verify
    November 2018, Technews Publishing, This Week's Editor's Pick, Access Control & Identity Management, Integrated Solutions, IT infrastructure
    Hi-Tech Security Solutions looks at access and identity management and asks some industry players what ‘zero trust’ and ‘least privilege’ access means.
  • Managing who, what and why
    November 2018, Technews Publishing, This Week's Editor's Pick, Cyber Security
    Today’s access control isn’t only concerned with who has access, but also what has access, why they need it and what they are doing with it.
  • Physical/logical convergence
    November 2018, Technews Publishing, This Week's Editor's Pick, Cyber Security, Integrated Solutions, IT infrastructure
    The convergence between physical and logical (or cyber) security will be a game-changer because it will change the way we do everything, from planning to design and all the way to installation and maintenance.
  • Physical and logical convergence is a fact
    November 2018, This Week's Editor's Pick, Integrated Solutions, IT infrastructure
    Convergence, the next buzzword? A dated buzzword? Is convergence ­merely ­integration on steroids? What is convergence?
  • The expanding role of IT in access control
    November 2018, Technews Publishing, This Week's Editor's Pick, Access Control & Identity Management, IT infrastructure
    What role is IT playing in the world of physical access control and how far will its role expand in future?
  • Taking augmented identity to the world
    November 2018, Technews Publishing, This Week's Editor's Pick, Access Control & Identity Management, Integrated Solutions
    Hi-Tech Security Solutions spoke to Gary Jones, VP Global Channel and Marketing biometric access and time solutions) at IDEMIA (formerly Morpho) about his career with the company and its new vision of Augmented Identity.
  • Tracking biometrics into a brave new digital world
    November 2018, This Week's Editor's Pick, Access Control & Identity Management, Integrated Solutions
    The industry is increasingly transitioning from unimodal to more integrated multimodal biometric solutions for more accurate identity verification and faster real-time results.
  • A better approach to fingerprint biometrics
    November 2018, This Week's Editor's Pick, Access Control & Identity Management
    Not all optical biometric fingerprint scanners are created equal. The type of sensor used has a powerful impact on speed, accuracy, reliability and portability.
  • The right access decisions
    November 2018, Technews Publishing, This Week's Editor's Pick, Access Control & Identity Management
    Making the right access control decision depends on what you want secured and how secure it should be.
  • Digital channels and the evolution of ID
    November 2018, This Week's Editor's Pick, Access Control & Identity Management, IT infrastructure
    While the concept of identity (ID) remains unchanged, the rapid evolution of digital technology has dramatically extended both its application and form factor.
  • Using tomorrow’s tools to solve ­today’s security problems
    November 2018, Access Control & Identity Management, Cyber Security, Integrated Solutions
    It is the companies that are already investing in tomorrow’s tools to solve today’s problems that will survive the ongoing onslaught to circumvent security solutions.
  • Fingerprints protect privacy for AIDS testing
    November 2018, This Week's Editor's Pick, Access Control & Identity Management
    A creative, progressive NGO uses biometric fingerprint scanning to redefine confidentiality and AIDS treatment in South Africa.

Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Terms & conditions of use, including privacy policy
PAIA Manual
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.