Make Sure to Follow These Dealer/Integrator Cybersecurity Basics
Careful attention to IT security is a critical component of the deployment of any security system. Are you following these cybersecurity best practices?
Two-thirds of the Washington D.C. Metropolitan Police Department’s outdoor surveillance cameras were taken over by Romanian hackers just before the inauguration of President Trump in 2017.
The attack demonstrated the danger of a lack of attention to cybersecurity basics during the deployment of appliances intended to enhance physical security.
The Internet of Things (IoT) is revolutionizing physical security. Most modern security systems rely upon Internet connectivity in order to function. Organizations that want to harness the benefits of IoT systems designed to enhance physical security assume that these devices are secure and can be deployed without much expertise.
Deployment of security devices may be unsafe if the implementation is not integrated into an overall IT security strategy. The Internet is a dangerous place. Any device connected to the Internet is subject to remote attack. Legions of cyber criminals scan the Internet for vulnerable systems and devices. There are a variety of tools used to detect susceptible IoT devices.
For example, the website known as Shodan operates as “the search engine for the Internet of things.” Shodan searches can be used to generate lists of known vulnerable devices that have been discovered on the Internet.
For example, running a quick scan on Shodan for surveillance cameras with the username set to “admin” and the password set to “admin” will turn up many hundreds of devices that fit that profile in the United States alone. An attacker could easily take control of these systems.
Careful attention to cybersecurity is a critical component of the deployment of any security system. First, be aware of the threat. Second, follow IT best practices in the deployment of any security system. Third, check the integration of the system to make sure that it meets well-established standards.
Any time new technology is deployed executives must ask a key question: “What can go wrong?” In most instances, attention to this question will demonstrate a need to ensure that the device is properly secured. The counterweight to these considerations is usually convenience.
Convenience and security are always in tension with each another. A basic example of this tension is instructive. Many people do not set a password on their smartphone because they don’t like to be inconvenienced or bothered by having to enter it each time they pick it up.
Anyone who finds or steals the phone would be able to get instant access to potentially confidential information. This smartphone example applies to decisions made about complex systems. Security suffers as a result of decisions made in favor of convenience.
The good news is that a tremendous amount of effort and research has been conducted in how to secure resources on the Internet. The basic concepts behind these best practices help to promote robust security. The key to robust security is defense-in-depth — multiple overlapping security features.
Even if one safeguard should fail, the device will remain secure. Some familiar examples of best practices include the following:
- Inventory and control of hardware assets: A robust security plan includes keeping a careful inventory and requiring that every device meets security requirements.
- Require multifactor authentication (MFA): A user’s access to a system needs more than just a password. This provides an extra layer of defense in the case of a stolen password.
- Enforce password security: Passwords must meet complexity requirements and no weak or default passwords are used.
- Patch management: Devices and software are up to date with the latest software and firmware patches.
- Use of a virtual private network (VPN): Remote access to a resource occurs over an encrypted connection. In addition, devices cannot be remotely accessed because the VPN prevents outsiders from being able to connect to or even scan the protected assets.
Cybersecurity Standards Matter
It is often difficult for executives to determine whether newly deployed systems meet the security standards that organizations expect. The answer to this dilemma is the adoption of cybersecurity standards. There are several tremendously well-developed standards that can be used to ensure security.
The Center for Internet Security’s 20 Critical Security Controls is one such example. These controls collectively form a defense-in-depth set of best practices that mitigate most common attacks. According to several studies, adopting the first five controls will stop 85% of all attacks, while implementing all 20 controls will prevent 97% of attacks.
Justin Feffer is a law enforcement officer commanding the Cyber Crime Investigation Section of a large law enforcement agency in Southern California.
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!