printer friendly version

Accessing cyber security

As if the job of specifying, installing and maintaining physical security products is not hard enough, recent news reports have shown that many of these devices – mainly cameras and DVRs at the moment – are being used in botnets. These are networks of devices, which can be anything from computers to cameras (or any electronic devices) that have not been properly secured and as a result are infected with malware.

This malware normally sits on the device and doesn’t cause any trouble until the owner, or those renting the botnet from the owner, decide to target a company or person. Then, all the devices work together to carry out their attack plans. A recent example can be seen at www.krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos.

While access and identity devices are not known to be involved in already identified botnets in any number, it stands to reason that network connected devices, especially Internet-connected devices, form part of the global Internet of Things (IoT) network. As such, they can be used for cyber attacks either on the company using them, or on third parties. Access control has been a slow learner when it comes to moving to IP, but the move has started and there is no stopping it.

The traditional physical security approach to cyber security is to ignore it as the whole cyber issue is seen as an IT problem and left to the people who manage servers and data centres. As everything in the access world moves to IP and being connected, this is no longer an acceptable approach.

Of course, security of any sort is never one person or department’s responsibility (although many try to make it so). It takes collaboration across the board, from manufacturers to installers and end users to make security work.

Tyco Security Products is taking a proactive role in securing its range of physical security products by developing its Cyber Protection Programme. Jeffrey Barkely, product manager at Tyco Security Products, spoke to Hi-Tech Security Solutions and explained that the multifaceted programme is focused on delivering a holistic approach to cyber security awareness, covering all the bases from the manufacturer to the end-user.

The idea is to reduce the risk of cyber crime happening to end-users by minimising the potential for the introduction of vulnerabilities into products, as well as resolving issues as fast as possible when they do arise. To date, Barkley says Software House access control solutions, American Dynamics video management systems and Illustra IP cameras are all on board, with further products from the group in the pipeline.

Six-step programme

The Cyber Security Programme has been divided into six parts. This is to ensure that the programme covers all the aspects of security, not simply covering certain components of the solution while ignoring others.

1. Secure product development practices

Tyco trains its developers and engineers to code and test their products securely throughout the development cycle. It has also launched a Cyber Protection Team, an independent branch of the development team with the authority and responsibility to manage the development process and final product release. This team is tasked with monitoring compliance according to the company’s ‘secure development best practices’.

2. Inclusive protection of components and systems

This step is to ensure that all components of a solution are tested and verified before reaching the customer. Some of the steps in the process include end-to-end encryption, encrypted database communications, system auditing, alerting and management, and denial of service attack protection.

3. Configuration guidelines for compliance

Taking the process beyond the development stage, the team also provides integrators and installers with documentation to assist them in installing systems securely, and to comply with various standards and regulations. For example, Tyco uses the Risk Management Framework from NIST 800-53 – ‘Security and Privacy Controls for Federal Information Systems and Organizations’ – to help users configure access control and video systems that require a high level of compliance.

4. Ongoing rigorous testing

The Cyber Protection team continues testing products against known and new vulnerabilities to ensure properly installed solutions remain as secure as possible. This testing also applies to software updates and new configurations. Moreover, third parties are also employed to conduct independent tests on the products to verify their security status and compliance.

5. Rapid response to vulnerabilities

Since vulnerabilities are being discovered every day – or so it seems – the Cyber Security team is continually on the lookout for new threats. The team consists of engineers from product security, development, quality and tech support. They evaluate each threat and decide if it can be dealt with in the next upgrade process or if they need to send out a hotfix as soon as possible.

Barkley notes that recently the team was able to develop, test and release patches for critical vulnerabilities such as Heartbleed (en.wikipedia.org/wiki/Heartbleed) and Shellshock (en.wikipedia.org/wiki/Shellshock_(software_bug)) in just two weeks.

6. Advocate and educate

The sixth step of the programme is the education of partners and customers regarding the necessity of securing their infrastructure. This includes training and development certifications, and the team also travels globally advocating for the rigorous protection of all security systems.

As noted above, security requires buy-in from all parties and the Cyber

Security Programme from Tyco covers all the bases, from the product manufacturers through to the end-users. As many integrators will testify, the end-users are probably the most important link in this chain as they are often the ones who opt for the cheapest solution that is almost guaranteed to be insecure – although no company would say that publically. Hopefully, the training and advocacy Tyco is involved with will be echoed throughout the physical security industry and both users and integrators will come to understand the importance of effective security, even if it’s only in the interest of self-preservation.

For more on the programme, please see http://www.tycosecurityproducts.com/pdf/cyber_protection/Cyber_Protection_Program_eBook_REVE.pdf (short URL: securitysa.com/*tyco1)

Share this article:

Further reading: