When it comes to taking responsibility for cyber security, there can be a conflict of ideas regarding who should take on the burden. However, cyber threats come in many forms and there is no one single solution. As such, every stakeholder has a part to play, which means that without a multi-layered approach sites could be vulnerable. With the help of David Harrison-Brown, Cyber Security Champion at Tyco Security Products, Benchmark considers the need for a holistic defence against potential cyber attacks.
If you consider some of the differences between the IT and the security industries, it has to be accepted that in terms of cyber protection the latter is somewhat behind the curve. The IT sector understands the risks associated with cyber crime, and over the years has developed a joined-up end-to-end approach to enhance security. This is a proven approach and is arguably the only way to deliver high levels of threat mitigation.
The security industry’s initial attempts to defend against cyber attacks were focused on device hardening: minimising the potential to attack devices. This includes elements such as closing network ports, shutting down services, etc.. It is a necessary element of cyber security but needs to be part of a more comprehensive programme.
As cyber security becomes multi-layered, it allows much functionality to remain enabled without opening up further vulnerabilities.
A multi-layered approach to cyber security starts at the product development stage. When a product is designed and built, it is important that the manufacturers don’t create problems for the future. It’s easier to develop a product to be inherently secure than to attempt to fix weaknesses at a later time.
Manufacturers who are serious about security will base their products around secure development practices. For example, Tyco Security Products will avoid using elements of software and components that are already vulnerable. There are also steps that can be taken during coding which ensure the end result will be more secure. This includes writing code in a certain way so as to make it more resilient.
Not isolated
A multi-layered approach also ensures that cyber security does not consider devices in isolation. For example, a system may have a secured VMS with secured recording servers, but if it includes an unsecured camera, for example, the entire system is then vulnerable. As a result, it is important to consider inclusive protection, ensuring that the system is protected end-to-end.
While developing secure products is an essential part of cyber security, it is equally important that manufacturers offer support and guidance to ensure that installers and integrators can implement the security features, and that end users can operate the systems securely. This does require investment on the part of the manufacturers, and is often one of the first corners to be cut when the main aim is to produce products for the lowest possible price.
Another important element of creating secure products, and maintaining their credibility over time, comes down to continuous testing. New threats and vulnerabilities are discovered all the time so continuous testing using third party tools, common in cyber protection, is required. This helps to identify known vulnerabilities, but it is also important to continually look for any unknown issues too.
It is also critical when vulnerabilities are discovered that security manufacturers can offer a rapid response. For example, Tyco Security Products has a dedicated team that monitors the darker side of the web. This ensures that when weaknesses in IT components and third party software are revealed, the company can respond – usually within 24 hours – to identify products or services that might be at risk and to implement some form of mitigation until a full patch is available.
There will be a process of assessment to find out whether the reported vulnerabilities are exploitable. In some cases vulnerabilities have been discovered in elements such as Linux distributions or Microsoft OS products but these have not been exploitable. If this is the case, typically a fix will be included in the next scheduled firmware update. However, if the risk is exploitable then an urgent patch will be released.
A few years ago there were high profile vulnerabilities in the form of Heartbleed (a security bug in the OpenSSL cryptography library), ShellShock (a vulnerability in a shell component of Linux and Unix), FREAK (an exploit of a cryptographic weakness in the SSL/TLS protocols) and GHOST (a serious Linux vulnerability that allow remote takeover of a system).
While these issues did not emanate from security devices, Tyco Security Products released urgent patches to ensure that the systems running its products could be fully secured. This point underlines the importance of using credible manufacturers who can and will react to risks in the greater IT landscape. It also stresses the need to ensure that installers and integrators partner with companies who commit to releasing firmware upgrades and security bulletins.
The final element of a multi-layered approach is about advocating best practice in relation to cyber security. David Harrison-Brown points out that whilst the manufacturer would like to see people using end-to-end Tyco solutions, they appreciate that often this won’t happen. However, where best practice is applied it can reduce the possibility of a weak link in system causing the cyber protection to unravel.
If people are made more aware, an increasing number of end users can request a multi-layered approach from their installers and integrators, and from the manufacturers. With increased advocacy, awareness of cyber security can become the norm within the security systems sector.
The right purchase
Implementing a good degree of cyber protection requires a number of elements to be threaded together to allow a holistic approach. For any manufacturer addressing the risks, there is a need for investment into the support and services required.
The security systems sector generally has two drivers when it comes to purchasing: there are some who base buying decisions purely on the lowest price while others look for required features. If purchasing on price, will installers and integrators be receiving the level of cyber security support they require?
Combine this with a general view from many that hacking and cyber crime happens to other people. Despite a number of high profile breaches, many are not that worried by cyber crime on a day-to-day basis. The concern that something might go wrong usually doesn’t arise until things do go wrong.
The issue is that it might take a few serious breaches to focus the collective minds of the price-biased security market on cyber threats. That will not only have a direct impact on the installation and integration companies involved (and, of course, their customers) but will also be a negative point for the credibility of the wider security industry.
There is also the possibility of some systems being made insecure after the design, installation and configuration. There have been cases where cyber risks were dismissed because the system was not connected to the internet. Then, after a period of time, an ADSL modem was added to allow remote viewing but the core configurations were not updated.
One final issue for installers and integrators to bear in mind is that whilst IT departments might be obsessive about cyber security where WAN connections exist, often security devices place a network endpoint outside of the building, such as a camera looking at an entrance. As an industry that places network nodes in insecure areas, we have to ensure the network is properly protected.
In summary
Cyber security must cover the entire system, not just individual devices. It also must be the responsibility of all stakeholders. If a multi-layered approach is not taken, then systems may remain open to exploitation.
