Whose responsibility is the security of a customer’s security system – the installer, manufacturer, distributor or end user? What can be done by all parties to improve the security of IP technology and the network it sits on?
One of the main topics being talked about at IFSEC this year was the security of networked security systems. The use of networks to carry data was a concern with IP cameras years ago, but it seems that it’s only recently that everyone is taking it as a potentially serious problem. So whose responsibility is the security of your customers’ electronic security technology? The PSI Panel of experts offers some advice.
Kim Loy – Vanderbilt
All parties involved need to play a role in the security of a customer’s system.
The manufacturer must conduct rigorous testing prior to launching a product to highlight any potential vulnerabilities. Given that most developing technologies in our industry utilise equipment that is “connected” within the modern architecture of solutions, this procedure needs to be part of the overall design, development and testing of products being sold today.
In addition, the installers of the equipment need to have a good knowledge of networks and the products they are installing to ensure it is handled in the most effective, secure manner. They should be acting in a consultative manner with the end customer to ensure they have sufficient security and firewalls on their network to reduce the potential of someone hacking into their system.
The end user also needs to play a role in ensuring the security of the equipment they are using. They need to change passwords on a regular basis, just as they would do with their own laptops and computers that they work on as part of their daily business. All equipment hanging off a corporate network needs to be treated with the same level of diligence – and that includes security equipment. One of the most frequently identified vulnerabilities is that passwords are left at the manufacturer’s default setting.
Throughout the entire process, all parties should have the security of the system installed at the front of mind and have procedures and processes in place to ensure that it remains that way.
Stephen D Green – Security Institute
Whether human, physical, electronic or, as is usually the case, some combination of all three, any security system is only ever as secure as the information pertaining to that system. If one has information on a system, one can identify and exploit weaknesses. So, whether such information is in the form of operational plans and procedures, architectural blueprints, system schematics or live network traffic between devices, if it can be associated with a specific system then basic “need to know” principles must apply. Strict control of access to sensitive information is the responsibility of every person who either touches or becomes aware of the existence of it.
In the information technology age, this simple maxim seems all too easily forgotten. When the duplication and dissemination of critical data becomes as simple as a mouse-click, vulnerability increases exponentially and the need for individual discipline becomes ever more important. Such discipline requires a thorough understanding of the value of information to an adversary, and the way that insignificant snippets, gleaned from multiple sources, can be used to synthesize the complete picture required to defeat a security system.
Individuals handling information classified as potentially useful to an adversary must also comprehend, and be prepared to rebuff, the myriad techniques which may be used to extract it from them. Access control measures, such as keys, PINs and passwords, must be all be managed robustly to rebuff direct attacks, whilst individuals need an awareness of social engineering techniques that may target them in more subtle ways. No firewall in the world can protect a network if its administration codes have already been inadvertently made available to a hacker or intruder.
Therefore, no matter how sophisticated modern systems become, they remain as always only as strong as their weakest link, and depressingly this is invariably human.
David Davies – DVS
Security is everyone’s responsibility and with the growing number of IoT devices connected and with reports of security breaches in the media, it really is a subject that we all need to think about; from supplier through to the installer.
So, how do we approach end to end security concerns? From a manufacturer’s perspective, it’s vital they invest in certified security testing procedures across multiple platforms to ensure any weaknesses or vulnerabilities are found early on and patched to prevent these being exploited. Although many manufacturers already perform such testing, this is an area that requires a continual focus which will benefit through strategic partnerships with IT network providers (which we have started to see) to ensure end to end resilience against attacks.
The installer should always make sure the firmware for the devices is on the latest release when installing, and on subsequent visits. This will be the first line of defence as current firmware would include updates for any security exploits found.
You can take extra measures that include: 1) using HTTPS instead of HTTP, 2) complex passwords and 3) use of illegal login notifications and 4) making sure the devices are behind firewalls and not left on a public accessible network. If remote access is needed we can change default ports that are used, assign valid IP address that can access the network and valid remote access paths like VPNS & DNS services.
The distributor should always make sure the correct information being communicated through staff and customers alike, talking about the need to take security seriously in training courses that are offered and also offering technical support around this issue where possible.
Read the full article in the August 2017 edition of PSI magazine
