This article contains an expanded version of my recent response to a reader of my “Convergence Q&A” column in the Nov/Dec issue of Security Technology Executive magazine.
Q: Our electronic security systems failed our company’s network security audit. We have two weeks to create a corrective management action plan that we must put into place within 6 months. What should we do?
A: You should be able to accomplish what you need to by following documented standard cybersecurity practice and hopefully, get some guidance from your product manufacturers and service providers.
Last month the Security Industry Association (SIA)—well known for its ISC East and ISC West security conferences—announced its formation of the SIA Cybersecurity Advisory Board, which is filled with action-oriented heavy hitters from both the IT and physical security domains. This is another sign that in the very near future, issues like the one this security manager wrote about will no longer be commonplace.
Here are some steps that security practitioners have found successful in addressing management action plans and security system hardening requirements.
Developing Your Action Plan
Review Similar Action Plans. Ask both your boss and the IT department to arrange for you to review some corrective management action plans that have been developed within your organization. This will give you some idea of the expectations management and security stakeholders may have for the action plan you need to create. What specific plans can the decision-makers point to, as examples of brief but informative plans that helped enable their decision-making? Even if your improvements don’t require a cash expenditure, if you are asking for support from IT then you want to make sure you have management support so that your project gets prioritized appropriately within IT.
Name Your Plan. Many organizations have a name for various types of improvement plans: management action plan, remedial action plan, corrective and preventive action (CAPA), cyber-risk management plan, and so on. It is likely there are positive organizational dynamics around improvement plans that you can take advantage of. Find the right name and message for your plan, and launch your system security improvements now.
Take a Standards and Guidelines Based Approach. Basing your system security improvements on standards and guidelines—especially those that align with IT best practices—will show management that you have done your due diligence, and will say to IT that your plan is worth investing their time in. In fact, by helping you IT will be adding to the value that it provides to the organization, as well as fulfilling their own responsibilities for security corporate computer and network systems. (The guidance materials below are based upon IT standards and best practices.)
2015 was a Breakthrough Year for Securing Physical Security Systems. Historically computer, network and device security has been a weak area for the physical security industry, and this situation is changing. Right now the state of cybersecurity practice in the industry is not very mature, but the guidance recommended below will be a big help. Two sources for guidance on hardening your electronic security systems are (1) security associations and (2) the creators of the systems and devices you have deployed.
Management is Now Cybersecurity-Aware. General awareness of the need for cybersecurity has never been higher. Now is the time to take advantage of the wave of awareness and secure your electronic physical security technology deployments.
Links to the guidance materials mentioned below are provided the end of this article.
Security Associations
The IT Security Council (ITSC) of ASIS International (www.asisonline.org) has developed the “IT Top 6 Control Systems Security Recommendations”, which apply to both electronic physical security systems and industrial control and monitoring systems. This is currently a free ASIS member resource.
The SANS Institute (www.sans.org) is the most trusted and by far the largest source for information security training and certification in the world. Your organization’s IT folks will be familiar with SANS, which recommends the CIS Critical Security Controls (formerly known as the SANS Top 20 Controls) for effective cyber defense. CIS is the new Center for Internet Security (www.cisecurity.org). Links are provided below to the latest critical security controls list. Also linked is a SANS Institute white paper that provides guidance for secure configuration of a Windows 7 system, as an example of operating system secure configuration.
Product Manufacturers
A leading manufacturer in cybersecurity practice is Axis Communications (www.axis.com), the company who pioneered network video cameras. I was part of a panel discussion at the 2012 ASIS Annual Exhibits and Seminars for which James Marcella, Director of Technical Services at Axis Communications, was a fellow panelist. One of the session attendees asked James a question about a password weakness in certain Axis cameras.
I cringed because at that time representatives of security industry companies typically made excuses or downplayed product security vulnerabilities, and I didn’t know what direction the discussion would go in. To my relief, Marcella leaned into the microphone and stated that it was a valid security concern and that Axis had not yet addressed it. He promised that Axis was indeed working on its product security, and that it would be addressed in the near future. The attendees actually applauded his honest and straightforward answer (it was that refreshing!).
Notable among the Axis security improvements that lived up to Marcella’s promise is the Axis release this year of its Hardening Guide along with the AXIS Vulnerability Policy. The Hardening Guide, the result of an Axis collaboration with IDmachines (www.idmachines.com), provides sound technical advice for anyone involved in deploying Axis video solutions. It establishes a baseline configuration and a hardening strategy that is based upon relevant security measures in version 5 of the SANS Top 20 Critical Security Controls. The AXIS Vulnerability Policy follows IT best practices and provides a good example of what product manufacturers should be doing. (See www.go-rbcs.com/responsible-disclosure.)
In its policy Axis makes casual reference to its use of the CVE® system. CVE stands for Common Vulnerabilities and Exposure. This is a phrase that will not be familiar to most of the physical security industry but is well-known to IT folks. CVE is a catalog of known security threats. The catalog is sponsored by the U. S. Department of Homeland Security. Listed threats are divided into two categories: vulnerabilities and exposures. For definitions of these two terms and more information about CVE, see www.go-rbcs.com/the-cve-system.
Be sure to specifically request hardening guidance from the manufacturers of all your security systems and devices, if you don’t find it posted on their websites or in their customer support forums.
Cloud Service Providers
Eagle Eye Networks (www.eagleeyenetworks.com), the first cloud-based video surveillance company, this year released its “12 Security Camera System Best Practices for Cyber Protection” white paper. It provides best practices for true cloud-based systems, and for traditional DVR, NVR and server-based VMS systems that are connected to the Internet or a corporate network.
Viakoo (www.viakoo.com) provide cloud-based technology that enables high-reliability of video networks, and helps eliminate missing video by quickly and automatically by detecting when a video stream stops recording properly for any reason. It diagnoses the problem, then alerts users and recommends how to fix it. Viakoo has released a white paper titled, “Securing Your Video Security Network”, which is a 12-point checklist of critical security flaws typically found in video security networks, and what to do about them.
The guidance from these two leading companies goes well beyond their own service offerings, and is certain to apply to your own security system deployment.
Links to Resources
These are the links to the resources mentioned above.
ASIS International
ASIS members will find the Top 6 recommendations listed as “ASIS Information Security Council White Paper” on the Cybersecurity page:
http://bit.ly/asis-cybersecurity.
Sans Institute
http://bit.ly/paper-securing-windows-7-platform-example
Center for Internet Security
http://www.cisecurity.org/critical-controls/
Axis Communications hardening guide and vulnerability policy
http://www.axis.com/se/sv/support/product-security
Eagle Eye Networks white paper
http://bit.ly/eagle-eye-camera-system-best-practices
Viakoo white paper
http://bit.ly/viakoo-video-network-security-checklist
Please Send Me Additional References
Please email me (RayBernard@go-rbcs.com) about the specific hardening guidance that you get from your product manufacturers and service providers. I’d like to expand the references on this page. (See Email Footnote below.)
Questions
If you have any questions about applying the materials listed here, please do email me (RayBernard@go-rbcs.com) and I’ll get back to you within 24 hours.