Electronic security started with the development of CCTV systems made of analogue cameras where information was recorded on to VHS tapes and stored in the security centre. As the acronym points out – it was a closed-circuit TV system.
In this digital technology age, we assume that wherever we are we can have permanent connectivity to the Internet via a variety of electronic devices and use them for viewing cameras, unlocking doors, accessing data, communicating with other people and so on. Every time we use a device, we are entering the realm of cyberspace. It is not a controllable physical space.
A whole new set of opportunities have been discovered by those who have bad intentions and are keen to exploit us and our connectivity to enrich themselves at our expense. We have a new challenge.
The digital age relies mostly on the expertise of the IT specialists. This is complicated and difficult to others. The fact that the electronic equipment being used has to be installed, programmed and maintained by IT specialists, has meant that the whole security solution has migrated, in a large part, to being under the control of the IT specialists.
This has not been a good idea from the point of view of those who understand criminology and good security practice.
What needs to be done is for the criminology and security specialists to take back control of the part which they understand instead of being frightened off by the apparently complex IT issues.
How will they do this?
For a crime to take place there needs to be a victim and a criminal who sees an opportunity. For a cybercrime to take place we need the same set of circumstances, although the participants may now be called an unaware user and a hacker looking for an opportunity.
The basic principles of CPTED (Crime Prevention Through Environmental Design)/Designing out Crime, have been well documented and discussed. Instead of re-inventing the wheel, would it not be a good idea to take these basic principles and apply them to the digital environment. As a reminder, these principles are as follows:
1. Surveillance and visibility.
2. Territoriality.
3. Access and escape routes.
4. Image and aesthetics.
5. Defensible space and target hardening.
Applying these to the digital age, we can define the following principles.
Vigilance and responsibility
Surveillance and visibility becomes vigilance and responsibility. This means we must all not be unaware users. We should not make use of our security access to ‘quickly check emails while we are online’, especially those who have Administrator privileges on the network. This would give cyber criminals the opportunity to change the network settings for their own purposes.
We should be aware that ‘phishing’ emails are one of the biggest problems. As the user, it would be your responsibility to report anything you think is suspicious to those who are responsible for the network.
The target is continually moving. As well as user vigilance and responsibility, a network surveillance system can be installed to monitor the network and to detect any unusual activity. This could be a place for the use of AI (artificial intelligence) techniques. It can never be said that there is a point where the risk is zero, so there must be a recovery plan in place for the possibility that a cyber-attack takes place.
Territoriality
This principle does not need to be re-defined. The common thread is OWNERSHIP. For this reason, fragmented solutions where there are no clear responsibilities defined for IT people and security people, cannot work. There is no pride in ownership by either.
The IT service providers must maintain and upgrade the network and communicate with the security service providers. The limitations and possibilities of the network structure and the respect for systems and procedures in place to maintain the integrity of the installation should be communicated to the users.
The users can communicate operational requests to the network managers. They should expect to receive adequate and ongoing training in the use of the equipment. This approach should provide for a harmonious working solution.
Access and escape routes
This can be as simple for users as:
• Password management.
• Don’t share your password or access privileges with anyone.
• Don’t plug other people’s memory sticks into your computer.
Having accessed your network and carried out the attack, the criminal can escape into cyber space, not into the local area. The effect of the attack may not be apparent for a while. The criminal did not leave you an audit trail of CCTV images and bare spaces where your possessions have been removed. You cannot see what has been stolen or how it was done. There is a possibility for the criminal to return multiple times.
Image and aesthetics
This is part of designing out crime. The easier to use the interface between user and network/digital mechanism is, the more willingly compliance can be achieved.
Those who are using the screen interface for their security surveillance work, for example, should be able to log in securely, carry out their assigned tasks without being stressed by difficult-to-follow commands and instructions, and log out at the end of their session. This in place and good training will ensure that all data has been safely captured for reporting and investigation.
Communication is a key factor again, this time between the software designers and the security solution advisers.
Defensible space and target hardening
The manufacturers are applying themselves to this problem to make sure that their devices and systems are as secure as possible, on an ongoing basis. They have had to introduce research and development programmes to address these issues since the target is always moving.
Those maintaining the network should make sure that all updates and patches issued are installed. The security network should never be part of a general IT solution for the site. The installation of antivirus software and the secure storage of information to comply with data protection regulations, also forms part of defending your space and making it more difficult to target your network.
It will be easier, as in the case of physical crime, to move on and find someone who has not been so vigilant.
In conclusion
Now that it can be seen that crime, whether in the physical space or cyberspace, is still crime and that the basic elements for committing the crime – opportunity, target and of course a criminal – can be analysed and dealt with by doing our best to apply CPTED principles and work on designing out crime as best we can.
To be able to apply all this means we have to have a starting point to define what we need to address. The importance of the risk assessment can never be underestimated. Risk assessments will always address the issues of target and opportunity so that the area of interest for the criminal can be defined and the necessary target hardening can be introduced to reduce access to the opportunity.
Appropriately completed with objective analysis of the results and the application of a solution which addresses the risks of the time, as far as possible, is the best we can do. Regular re-assessment and re-evaluation without knee-jerk responses to isolated incidents, but thorough investigation and analysis will be the best that any security solution designer can do.
Each system must have an owner who understands the mechanism of crime and the IT space, take responsibility for outcomes and: Be Aware and Beware.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.