Security Technology Executive

NOV-DEC 2015

Issue link: https://securitytechnologyexecutive.epubxp.com/i/618378

Contents of this Issue

Navigation

Page 7 of 67

8 SECURITY TECHNOLOGY EXECUTIVE • November/December 2015 www.SecurityInfoWatch.com CONVERGENCE Q&A; B y Ray B er n ard, P SP, CH S - I I I Our electronic security systems failed our company's network security audit. We have two weeks to create a corrective management action plan that we must put into place within 6 months. What should we do? You should be able to accomplish what you need to by following documented standard cybersecurity practice and hopefully, get some guidance from your product manufacturers and service providers. Here are some steps that have been found success- ful in addressing management action plans and security system hardening requirements. Developing Your Action Plan Review Similar Action Plans. Ask both your boss and the IT department to arrange for you to review some corrective management action plans that have been developed within your company. This will give you some idea of the expectations manage- ment may have for the plan you need to create. Take a Standards and Guidelines Based Approach. Historically computer, network and device security has been a weak area for the physi- cal security industry, and this situation is changing. Right now the state of cybersecurity practice in the industry is not very mature, but the guidance rec- ommended below will be a big help. Two sources for guidance on hardening your electronic security sys- tems are (1) security associations and (2) the cre- ators of the systems and devices you have deployed. Security Associations The IT Security Council (ITSC) of ASIS Interna- tional (www.asisonline.org) has developed the "IT Top 6 Control Systems Security Recommendations", which apply to both electronic physical security sys- tems and industrial control and monitoring systems. This is currently a free ASIS member resource. The SANS Institute (www.sans.org) is the most trusted and by far the largest source for informa- tion security training and certification in the world. Your organization's IT folks will be familiar with SANS, which recommends the CIS Critical Secu- rity Controls (formerly known as the SANS Top 20 Controls) for effective cyber defense. CIS is the new Center for Internet Security (www.cisecurity. org). Links are provided below to the latest critical security controls list and to a SANS Institute white paper that provides guidance for secure configura- tion of a Windows 7 system as an example of oper- ating system secure configuration. Product Manufacturers A leading manufacturer in cybersecurity practice is Axis Communications (www.axis.com), the com- pany who pioneered network video cameras. This year Axis released its Hardening Guide along with the AXIS Vulnerability Policy. The Hardening Guide, the result of an Axis collaboration with IDMachines (www.idmachines.com), provides sound technical advice for anyone involved in deploying Axis video solutions. It establishes a baseline configuration and a hardening strategy that is based upon rel- evant security measures in version 5 of the SANS Top 20 Critical Security Controls. The AXIS Vulner- ability Policy follows IT best practices and provides a good example of what product manufacturers should be doing. In its policy Axis makes casual reference to its use of the CVE® (Common Vulnerabilities and Expo- sure's) system, a term that will not be familiar to most of the physical security industry but is well- known to IT folks. CVE is a catalog of known secu- rity threats. The catalog is sponsored by the U. S. Department of Homeland Security. Cloud Service Providers Eagle Eye Networks (www.eagleeyenetworks. com), the first cloud-based video surveillance com- pany, this year released its "12 Security Camera System Best Practices for Cyber Protection" white paper. It provides best practices for true cloud- based systems, and for traditional DVR, NVR and server-based VMS systems that are connected to the Internet or a corporate network. Viakoo (www.viakoo.com) provide cloud-based technology that enables high-reliability of video networks, and helps eliminate missing video by quickly and automatically detecting when a video stream stops recording properly for any reason. It diagnoses the problem, then alerts users and recommends how to fix it. Viakoo has released a white paper titled, "Securing Your Video Security Network", which is a 12-point checklist of critical security flaws typically found in video security net- works, and what to do about them. ■ Hardening Electronic Physical Security Q: A: Write to Ray about this column at Con- vergenceQA@go- rbcs.com. Ray Ber- nard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facili- ties. For more infor- mation about Ray Bernard and RBCS go to www.go-rbcs. com or call 949- 831-6788. Follow Ray on Twitter: @ RayBernardRBCS Last month the Security Industry Association (SIA announced its formation of the SIA Cybersecurity Advisory Board, which is filled with action-oriented heavy hitters from both the IT and physical security domains. This is another sign that in the very near future, issues like the one this security manager wrote about will no longer be commonplace.

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - NOV-DEC 2015