Issue link: https://securitytechnologyexecutive.epubxp.com/i/870734
www. SecurityInfoWatch.com • September/October 2017 • SECURIT Y TECHNOLOGY E XECUTIVE 45 "cyber weapon delivery system of choice". Stronger methods are available today to ensure that security systems are protected from compromise. But what is lacking is the urgency and focus for those methods to be used pervasively. Real -life examples are not hard to find. Two wake-up calls to the industry include the recent Mirai and Persirai botnet attacks which hijacked IP security cameras to launch distributed denial of service (DDoS) attacks. Adding fuel to the fire is the recent Devil's Ivy vulnerability. A recent Panasonic White Paper entitled, 'Just how secure is your video surveillance?' claims that 60 percent of all video cameras have not changed their default passwords. This leaves them open to compromise and manipulation. Brandon Arcement, Director of Prod- uct Marketing at HID Glob- al, commented, " While network attacks can happen at the controller, relative to the video space, attacks on access control systems are not as com- mon -- because the attack surface is smaller today." Even so, these DDoS attacks are not the first. In almost every type of organization, there are serious damages done to the organizational mission when security is compromised. Shrinkage increases in retail markets. In education, Clery Act violations can be impacted. And in healthcare, Medicare reim- bursements can be withheld for failing critical risk assessments. Elsewhere, regulatory certifications can be threatened. As problems grow, real actions are needed to address them. The impact of not taking action can already be seen in the documented costs associated with data breaches. According to the 2017 Cost of Data Breach Study: Global Overview sponsored by IBM and conducted by Ponemon Institute: • The average cost of each data breach for 419 companies surveyed was more than $3 million per occurrence. • The average cost for each lost or stolen record containing sensitive and confidential informa- tion was $141. • It is estimated that organizations in this study have an average probability of 27.7 percent of having a material data breach again in the next 24 months. • Note: the faster the data breach was identified and contained, the lower the costs were associ- ated with the loss. These are in addition to damages to brand, workplace disruption and other legal and financial liabilities. Half-hearted Strategies It's fair to say that efforts are being made, just not enough or of the right kind. For example, most devices on a physical security network today have self-test "health check" capabilities. These tests are useful but can give a false sense of security. While all the "self-tests" come out looking good, the reality might be that a condition between or in a combina- tion of the devices is causing a failure. Another way that helps but is insufficient is spot- checking the system to look for issues or concerns. The vulnerability this exposes is because a malware agent is usually pretty good at hiding itself until it is activated. Also, the manual effort involved in camera checking does not scale for many organiza- tions. Even if it did, the efforts expended are almost always more costly and logistically challenging. A third approach is for organizations to restrict connectivity, such as through only using on-prem- ises software that does not require any external Avoiding that catastrophic organizational event takes a diligent approach to both logical and physical security strategies. Image Courtesy of BigStock.com