by Ray Bernard PSP, CHS-III
Last month the Security Industry Association (SIA)—well known for its ISC East and ISC West security conferences—announced its formation of the SIA Cybersecurity Advisory Board, which is filled with action-oriented heavy hitters from both the IT and physical security domains. This is another sign that in the very near future, issues like the one this security manager wrote about will no longer be commonplace.
Q: Our electronic security systems failed our company’s network security audit. We have two weeks to create a corrective management action plan that we must put into place within 6 months. What should we do?
A: You should be able to accomplish what you need to by following documented standard cybersecurity practice and hopefully, get some guidance from your product manufacturers and service providers.
Here are some steps that have been found successful in addressing management action plans and security system hardening requirements.
Developing Your Action Plan
Review Similar Action Plans. Ask both your boss and the IT department to arrange for you to review some corrective management action plans that have been developed within your company. This will give you some idea of the expectations management may have for the plan you need to create.
Take a Standards and Guidelines Based Approach. Historically computer, network and device security has been a weak area for the physical security industry, and this situation is changing. Right now the state of cybersecurity practice in the industry is not very mature, but the guidance recommended below will be a big help. Two sources for guidance on hardening your electronic security systems are (1) security associations and (2) the creators of the systems and devices you have deployed.
Links to the guidance materials mentioned below are provided the end of this column.
The IT Security Council (ITSC) of ASIS International (www.asisonline.org) has developed the “IT Top 6 Control Systems Security Recommendations”, which apply to both electronic physical security systems and industrial control and monitoring systems. This is currently a free ASIS member resource.
The SANS Institute (www.sans.org) is the most trusted and by far the largest source for information security training and certification in the world. Your organization’s IT folks will be familiar with SANS, which recommends the CIS Critical Security Controls (formerly known as the SANS Top 20 Controls) for effective cyber defense. CIS is the new Center for Internet Security (www.cisecurity.org). Links are provided below to the latest critical security controls list and to a SANS Institute white paper that provides guidance for secure configuration of a Windows 7 system as an example of operating system secure configuration.
A leading manufacturer in cybersecurity practice is Axis Communications (www.axis.com), the company who pioneered network video cameras. This year Axis released its Hardening Guide along with the AXIS Vulnerability Policy. The Hardening Guide, the result of an Axis collaboration with IDMachines (www.idmachines.com), provides sound technical advice for anyone involved in deploying Axis video solutions. It establishes a baseline configuration and a hardening strategy that is based upon relevant security measures in version 5 of the SANS Top 20 Critical Security Controls. The AXIS Vulnerability Policy follows IT best practices and provides a good example of what product manufacturers should be doing. (See www.go-rbcs.com/responsible-disclosure.)
In its policy Axis makes casual reference to its use of the CVE® (Common Vulnerabilities and Exposure’s) system, a term that will not be familiar to most of the physical security industry but is well-known to IT folks. CVE is a catalog of known security threats. The catalog is sponsored by the U. S. Department of Homeland Security. Listed threats are divided into two categories: vulnerabilities and exposures. (For definitions of these two terms and more information about CVE, see www.go-rbcs.com/the-cve-system.)
Cloud Service Providers
Eagle Eye Networks (www.eagleeyenetworks.com), the first cloud-based video surveillance company, this year released its “12 Security Camera System Best Practices for Cyber Protection” white paper. It provides best practices for true cloud-based systems, and for traditional DVR, NVR and server-based VMS systems that are connected to the Internet or a corporate network.
Viakoo (www.viakoo.com) provide cloud-based technology that enables high-reliability of video networks, and helps eliminate missing video by quickly and automatically detecting when a video stream stops recording properly for any reason. It diagnoses the problem, then alerts users and recommends how to fix it. Viakoo has released a white paper titled, “Securing Your Video Security Network”, which is a 12-point checklist of critical security flaws typically found in video security networks, and what to do about them.
Links to Resources
ASIS members will find the Top 6 recommendations listed as “ASIS Information Security Council White Paper” on the Cybersecurity page: http://bit.ly/asis-cybersecurity.
Center for Internet Security
Axis Communications hardening guide and vulnerability policy
Eagle Eye Networks white paper
Viakoo white paper
Write to Ray about this column at ConvergenceQA@go-rbcs.com. Ray Bernard, PSP, CHS-III is the author of the new book Security Technology Convergence Insights. He is also principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Ray is also a member of the Content Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com). For more information about Ray and RBCS go to www.go-rbcs.com or call 949-831-6788. Follow Ray on Twitter: @RayBernardRBCS. Learn about Ray’s new Elsevier book, Security Technology Convergence Insights, available on Amazon at http://bit.ly/security-tech-convergence-insights.
© 2015 Ray Bernard