10 Steps Integrators Should Use to Ensure Manufacturers’ Products Are Cyber Secure
More and more security devices are being placed on networks and therefore need to tested and designed to withstand hacking attacks. Learn what to be aware of, look for and verify in a vendor.
8. Has the manufacturer established security configuration control baseline standards?
Can the manufacturer describe the internal process and configuration standards for specific environments where the product is deployed? These security configuration control baselines extend far beyond just the technical design, engineering and patches made to systems developed by manufacturers. They include establishing consistent technical approaches, consistent terminology and a consistent security framework through all security-related functions and processes.
Manufacturers that demonstrate they effectively maintain a security configuration control baseline can prove where common and shared controls interface with external data sources, and how change control processes are managed.
9. Does the manufacturer share vulnerability data with its systems integrators?
How does the manufacturer share vulnerability information about its products? Most vendors would prefer to either not release information or not provide sufficient technical detail about their vulnerabilities that is beneficial to help users protect themselves by patching, modifying the environment, tweaking firewall and intrusion detection rules, disabling the component altogether, or performing other security processes.
A best practice commonly adopted by leading physical security manufacturers is compliance evaluation with the National Institute for Standards and Technology National Vulnerability Database. Manufacturers can find out information and remediation processes for vulnerabilities that have been validated by the U.S. Computer Emergency Response Team (US-CERT).
Manufacturers that are willing to share information can publish details about their product using a system known as Common Platform Enumeration (CPE) where they can uniquely define configuration elements that comprise their products.
In the event cybersecurity vulnerability is discovered within a particular vendor product, this information can be quickly identified and shared among affected parties. Physical security manufacturers that publish information available for industry consumption and analysis should be considered cyber aware.
10. Does the manufacturer use third-party independent verification and validation (IV&V)?
Manufacturers routinely report that they conduct internal reviews and product testing at regular intervals to demonstrate their IT-connected solution is secure. During these internal evaluations, do the manufacturers claim to use external third-party testing and evaluation? Do they describe the test plan and what environment their product is deployed?
Manufacturers that publish testing and evaluation data derived from third-party IV&V demonstrate their ability to be cyber aware by recognizing that all systems present some form of risk. If weaknesses are discovered and remediated, a cyber-aware product manufacturer should be more willing to share relevant data with systems integrators.
Coordinated Team Effort Is Required
Because the context is so diverse and the technology space so dynamic, physical security manufacturers and systems integrators will need to work together at levels previously unimagined to deploy cyber-secure solutions to end users. Education, training and knowledge transfer as we move into the world of hyper-connectivity and interdependency of the modern computing environment is essential.
Systems integrators must demand more from manufacturers with assurances that they have met and maintain internal cybersecurity best practices and sell secure products to end users.
Moving forward, systems integrators must be internally prepared and skilled in using various types of verification tools, design checking software and other quality assurance tools that can identify possible security vulnerabilities before deployment into customer environments.
Bio: Darnell Washington is President and CEO of information security technology and consulting firm SecureXperts. He can be reached at dwashington@ securexperts.com.
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!