Evolution of Cybersecurity & Countermeasures

TEC-2016-Header_1282-x-400

Just returned from speaking at the annual PSATec Conference (www.psasecurity.com) and was thoroughly surprised by the strong emphasis on Cybersecurity… For those that don’t know PSA, it is an organization that supports a large national group of physical security integrators. While there, I had the opportunity to speak with industry experts to build on my understanding of current trends. The two topics most interesting personally came from David Wilson, CISSP, a lawyer providing professional services relating to InfoSec liability and best practices and Per Bjorkdahl of Axis Communications representing ONVIF (www.onvif.org).

DR-logo

Cyber Event Impact

My conversation with David was fascinating and ranged across a broad array of topics, but the greatest impact came from a discussion of current Cyber vulnerability mitigation strategies. The content of our discussion prompted me to do some research online. I subscribe to a newsletter published by Information Week that I find covers important current topics relating to Cyber (www.darkreading.com). Recent articles confirmed the conversation with David at PSATec. The current thinking is to move away from prevention and towards CONTAINMENT. Here is a link to an upcoming webinar on the topic: Dark Reading Webinar. This was shocking to me. This represents a veritable open admission that Black Hat Hacking is pervasive AND attacks are inevitable! I had previously thought the threat was moving slowly to the private sector and primarily to global enterprise. This conversation blew a hole through that fantasy!

Cyber Liability

As a trained Cybersecurity professional (CISSP cert) AND lawyer, David has a fascinating perspective on Cyber liability issues. I find it interesting to watch Information Security (InfoSec) issues mature in our legal system. The path has been similar to the same evolution experienced with physical security. Those that have been through a lawsuit know, the legal measure of culpability is tied to “reasonable” efforts at prevention and response. In the physical security realm, we have several decades of case law to define these parameters. InfoSec is too new and the legal guidelines are still being developed today.

Defining “Basic” Cyber Prevention & Response

This is a new age of responsibility for stewardship of online data. Private enterprise will be completely liable for the resulting impact from these attacks: theft of personal data, user access to personal data, shareholder fiduciary responsibility, etc. As our legal system would, consider defining Cyber liability based on recent real attacks and the developing countermeasures currently being developed. David’s presentation attempted to define the current standard for “basic” Cyber attack countermeasures. Follow this link to a presentation excerpt regarding “basic” (reasonable?) Cybersecurity measures: Wilson Presentation. Please contact David via LinkedIn, if you would like to explore this with him further and utilize his services.

I suggest keeping an eye on this evolving area for current protection strategies and the impact on related systems.

ONVIF

Cyber Standards

This is the other emerging area… certifying software, firmware and IP addressable equipment for compliance with minimum reasonable Cyber STANDARDS.

Underwriters Labs (UL) purchased InfoGuard last year, the leading company working in this discipline. I thought this would be the harbinger for the evolution of such standards with the subsequent development of UL 2900, but UL had a hiccup with the roll-out: “UL Refuses to Share Cybersecurity Standard“.

ONVIF is a consortium of 500 (or so) manufacturers attempting to voluntarily create a universally accepted standard for inter-operability in the physical security industry. This Cybersecurity presentation at PSATec was not an effort to lead, but more a cry out to the industry for leadership from an organization capable of tackling such a daunting task. In talking with Pers, it appears manufacturer members are seeing this uncertainty as a revenue opportunity… individually developing commercially viable solutions for competitive advantage. I would expect nothing else. It is too much to ask for such a standard from an organization of competing companies promoting voluntary adoption.

RSA-logo

Cyber Standards Leadership

So, I asked Pers, where will the leadership come from? He also did not see UL being effective in this area. His response was surprising: RSA Security! For any of you not familiar with RSA, they are the organization that came from the Black Hat / White Hat hacking community. Their primary role has been development of encryption and encryption standards. Looking at their current website, it appears they are much more now… but I have to tell you, RSA moving into the physical security industry, really?

If RSA dives into physical security, that will be the beginning of “HYPER-CONVERGENCE”. You think technology is driving change now, this happens… and you won’t recognize the security industry in five years!

Challenging Times

These are exciting AND challenging times for the security industry. I wonder where these issues will take us? The change is happening SO FAST, I can’t even guess where we will be 2-3 years from now!

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Cybersecurity, Data Security, Information Security, Integration, Physical Security, Technology, Technology Convergence | Tagged , , , , , , , , , , , , | Leave a comment

Encryption – THE Constitutional Issue of Our Day

LimitedGovernment

I know the majority of folks holding positions in our public legal system and in law enforcement are good people trying to do what’s right… and I badly want to believe Police Departments and District Attorneys will be responsible with their use of – and prevent public access to – seized personal Information… although I can’t help but think of people in authority like (recently voted out of office) Sheriff Arpaio -Maricopa County, AZ with little regard for personal rights and freedoms. Is skepticism healthy?

Legislating Unconstitutional Rights for Search & Seizure and the Elimination of Personal Privacy

Federal and local governments are beginning to introduce legislation to outlaw proprietary encryption. As usual, then only criminals will have proprietary encryption. Hackers for hire will then build private encryption for use by criminals. My guess is someone has already developed an app capable of customizing an algorithm for individual use. These three news releases are examples of this ongoing barrage:

http://thehackernews.com/2016/04/anti-encryption-bill.html

http://thehackernews.com/2016/04/microsoft-gag-orders.html

http://thehackernews.com/2016/04/blackberry-encryption.html

The Future of the U.S. Constitution

I am not sure where all this is heading. Has fighting terrorism become the excuse for relinquishing all personal privacy? I have had this discussion with many friends and associates and several have shot back at me: “What do you have to hide?” Nothing, but doesn’t anyone remember their U.S. history and the principals under which this country was founded? We might as well remove the 4th & 9th Amendments. I don’t know about you, but I am of the Baby-Boomer generation and we were taught at a very early age to understand and appreciate the greatness of the American ideal that founding fathers like Thomas Jefferson and James Madison put into words so eloquently. Is Mankind always destined to make the same mistakes over and over again? Our country was founded by men of vision with a passion for protecting human rights and justice. Today, it almost feels like sedition to be touting the importance of the U.S. Constitution. I see on the news too much talk of “updating” our Constitution. I don’t know whether to feel outrage, or just pity for future generations…

If you would like to discuss this, or other security topics, please contact me via LinkedIn. Also, take a look at my LinkedIn Discussion Board Security Convergence, or my Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Cybersecurity, Data Security, Information Security, Technology | Tagged , , , , , , , | Leave a comment

Innovation – Are You Listening?

Innovation cartoon

What is Innovation?

Is innovation simply developing NEW products? We are told, new products are the result of the innovation process. So, how does this thinking apply to the Security Industry?

True innovation requires insight, vision and APPLICATION! The insight to recognize the underlying need. The vision to imagine the solution and the knowledge and skills to design the product(s). Think of defining security as – securing environments: virtual, and/or physical. The process should begin with recognizing evolving threats, their severity and then defining scenarios to mitigate the associated risk, before investigating a new commercially viable product. Are you asking your customers to share their concerns? Do you actively listen and bring back the market intelligence to discuss the associated business opportunities internally?

Threats Forcing Convergence

Earlier this year I attended the largest physical security trade event in the U.S., the 2016 International Security Conference West (ISC West) sponsored by the Security Industry Association (SIA). It was very well attended and I think a productive event for most vendors with a presence… but I was personally very disappointed.

In my recent experience, the security topics end-users and consultants want to discuss today are being driven by the challenges emerging from Information Security (InfoSec) concerns. The growing influence of Chief Information Officers (CIO), Chief Information Security Officers (CISO), Chief Technology Officers (CTO) and I.T. Directors is changing organizational security practice and policy. Those concerns are impacting physical security systems design and building a business case for emerging areas of convergence: Encryption, Penetration Testing and Identity Management (authentication).  It is time for growing awareness to be leveraged into solutions… finding equipment, systems and the expertise to design, sell, deploy and service them.

ISC West Trade Show Floor

I walked every foot of the enormous ISC West show floor and found only two manufacturers showing serious IPSec/InfoSec solutions. Internet-of-Things (IoT) devices are forcing a growing demand for products and services that address the security of data in this new network environment.

I am just one voice yelling into gale-force winds. Large companies, even when recognizing the need, find it difficult to turn on a dime and pursue emerging business opportunities like this. Honestly, in many conversations with PSP, RCDD and CISSP certified individuals recently, they were not aware of available physical security technologies to address these concerns, let alone solutions ready for deployment. I will continue to bring the message of security convergence to the different disciplines and encourage their cooperation and mutual effort to provide solutions for use in this new emerging area.

Two IPSec/InfoSec Solution Providers Showing at ISC West

Here is a quick shout-out to both Quantum Secure (www.hidglobal.com/quantum-secure) and Stratus Technologies (www.stratus.com), acknowledging their foresight to invest in their view of future convergent solutions:

  • HID Global offers Quantum Secure, a powerful identity management tool that can incorporate Active Directory (AD) integration via LDAP protocols already being used by virtually every IP data network designer. One day, AD (or something like it) will be used by ALL intelligence associated with IP Addressable appliances. The threat of unauthorized access to data networks is becoming too great a risk to ignore the need for a common identity management solution across all IP connected devices and applications.
  • Stratus Technologies has been evolving their Sightline Assure application from an industrial automation tool to an ACTIVE  (not passive) network security tool. This solution includes a redundant server fail-over system for use with critical infrastructure. These types of products ensure continuous operation of critical automated systems. I have worked with solutions like this before. As interesting as it is, their real innovation comes from the associated dashboard that can be used to monitor data traffic across individual segments of the broader network. The application:
    • Think Distributed Denial of Service (DDoS) attacks, or for that matter, any unauthorized use of private network bandwidth. If you could monitor real-time fluctuations in data network traffic, set thresholds and provide alerts (text/email)… DDoS would become a thing of the past.
    • Now, let’s take this a step further… What if, upon recognizing a spike in data traffic, you could lower the available bandwidth for that network segment? Next, what if you could re-route that network segment through a virtual switch instance, segregating the traffic from other network resources and assets?

If you would like to discuss this, or other security topics, please contact Doug via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be a personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Cybersecurity, Data Security, Identity Management, Information Security, Integration, Physical Security, Technology | Tagged , , , , , , , , , , , , , , , , , , , | Leave a comment

Prepare for Identity Management in Physical Security to Change Drastically

Mobile Keys Pic

Smartphones & Big Data

Many of our everyday online activities are leveraging authenticating digital identities, cloud data resources and mobile convenience. As all of us come to depend more on smartphone functionality (pay at the pump, ATM’s, building access, network access, etc.), the digital credential and logical access via cloud apps will eventually replace the physical card.

It is easy to overlook the complexity that convenience may add to physical security planning. In the very near future, the C-Suite will demand that security professionals find strategies to allow the convenience of these new technologies, WHILE MANAGING THE SECURITY VULNERABILITY.

If you have not already begun the research into this new technology, start now:

https://www.hidglobal.com/solutions/mobile-access

Our Greatest Security Challenge

This will be the greatest challenge the security industry has faced in the last 20 years. Big Data and The Cloud will be our society’s future and the C-Suite will demand it. You think not? All of us will demand it. Whether it is employees, consumers, clients… we will all come to expect the convenience of managing/controlling both Internet-of-Things (IoT) connected devices and Cloud apps from our smartphone.

If you don’t think technology convergence is happening in the security space today, think again. Information Security (InfoSec), Network Security (IPSec) and Physical Security (PhySec) will all bleed together, because they must! In order to protect our assets (people, places, things) in this new emerging world, these disciplines will lean on each other to develop strategies that don’t exist today. I hope we are all up for the challenge and enough of us see the future to remain relevant in this changing landscape.

Why Ring the Bell Now?

After reading the article below, I decided it was time for me to emphasize this message. I didn’t think CIO’s were ready to accept this technology yet and deal with the vulnerabilities it brings, but ATM’s are too mainstream. The future is closer than I realized. Take a look…

https://www.yahoo.com/tech/smartphones-replace-cards-bank-machines-031358234.html

If you would like to discuss this, or other security topics, please contact Doug via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin. It is intended to be a personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Big Data, Cybersecurity, Data Security, Identity Management, Information Security, Physical Security, Technology | Tagged , , , , , , , , , , , , , , , | Leave a comment

76 Percent of Organizations Breached in 2015

Cyber cartoon

 

This figure was both a surprise… and not. The majority of cyber attacks are not reported, for good reason. It is embarrassing for private enterprise to publicly report a data security breach. There is an obvious negative impact on public opinion, shareholders, etc.

Most security directors are unaware of the pervasive cyber vulnerabilities inherent in many of the technologies they deploy. There are encryption and identity management solutions for physical security systems that can manage this risk. The need for more collaboration between Physical Security and InfoSec Consultants is very real. As related industries, we need to improve the quality of the overall solutions being offered to our end-user partners. I have listed a few important excerpts below:

From “SIA Update” dated February 22, 2016:

According to the 2016 Cyberthreat Defense Report, 76 percent of responding organizations were affected by a successful cyber attack in 2015 – up from 70 percent in 2014 and 62 percent in 2013.

Free copy of the Cyberthreat Defense Report at: Cyberthreat Report.

  • Endpoint protection revolution. For three consecutive years, respondents have expressed growing dissatisfaction with their current endpoint security defenses. This year, a whopping 86 percent have expressed their intention to replace (42 percent) or augment (44 percent) their current endpoint protections.
  • BYOD backpedaling. The percentage of organizations with active BYOD deployments has dropped for the third consecutive year – from 31 percent in 2014 to 26 percent in 2016.
  • Must-have network security investments. Next-generation firewalls are the top-ranked network security technology planned for acquisition in 2016, followed by threat intelligence services and user behavior analytics.
  • Mobile devices “still” in the crosshairs. For the second consecutive year, mobile devices are perceived as IT’s “weakest link.” In total, 65 percent of respondents witnessed an increase in mobile threats over the prior year.
  • Malware and spear-phishing continue to cause headaches. Malware and spear-phishing top the list of cyberthreats causing the greatest concern among respondents for the third-consecutive year.
  • Massive exposure to SSL blind spots. Only a third of responding organizations have the tools necessary to inspect SSL-encrypted traffic for cyberthreats, revealing a gaping hole in enterprise security defenses.
  • Employees are still to blame. For the third consecutive year, low security awareness among employees tops the list of barriers to establishing effective security defenses. Survey participants are also concerned with an overwhelming volume of security event data, lack of skilled personnel, and lack of available budget.

Complete SIA Update dated February 22, 2016 at: Feb SIA Update.

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Cybersecurity, Data Security, Identity Management, Information Security, Physical Security, Technology | Tagged , , , , , , , , , , , , | Leave a comment

The Most Basic Physical Security Vulnerability

Vulnerability cartoon

Mechanical Key Override

I am so often amazed to see Security Integrators uninterested in the end-user/owner’s decision how to manage a mechanical key override solution for electronic access control. This is the most severe, easily recognized vulnerability in the entire continuum of security applications. Every organization’s greatest fear and biggest dirty little secret is: Lost Masterkeys. Do security integrators factor in a client’s lost masterkeys in the system design? In a career of private conversations with facilities operations teams, I can emphatically say, no one has told me they have never lost a masterkey.

Must Have / Can’t Have Dilemma

As any honest consultant will tell you, failure rates with electro-mechanical and electronic equipment are very real. Two problems arise when access control solutions fail: doors allow unauthorized access, or doors do not allow authorized access. Each is equally problematic… one for security reasons, the other for the customer inconvenience. In my experience, at least a third of access controlled doors in the U.S. are not designed with fail-secure applications (mag locks) and if you install battery back-up, do the batteries get inspected regularly? The second scenario may be worse: Door Forced. So what does the industry do? Deploy the generally accepted emergency solution: mechanical key override. Here is the head-scratcher, when leaving locksmiths on their own these cylinders are KEYED INTO existing systems, rather than keyed differently – adding all the vulnerabilities that come with it.

How Old is Pin Tumbler Technology?

Pin tumbler cylinders were invented approximately 160 years ago. So, even when working with the most recent access control solutions, we are still depending on the performance of a 19th Century technology to deter unauthorized access. That vulnerability is not strictly defined as a professional criminal picking the cylinder. Today, any kid with two photos of a key (patented keyways too), a CAD program and a cheap 3D printer can duplicate a key.

Depending on 160 Year Old Tech, IS there an Answer?

There is a new generation of “key” technology today. The “key” here (pun intended) is an electronic format with a loaded credential carrying an authenticated “digital identity” within. This technology has been kicking around for about 10 years in the banking, retail and municipal sectors, but has only been introduced to the broader security market in the last few years. These electronic credentials are managed by self-hosted, or cloud-hosted software in a central server based environment. This IS the next generation in “key” control. A battery in the key is charged weekly and provides power to the credential (key) and electronic cylinder (when inserted). There is a mobile programming device that is capable of pairing via Bluetooth to your cell-connected smart phone, loading/updating credentials and user permissions real-time to/from the server. The solution includes audit trail capability for both key and cylinder, but also has more advanced features such as: expiration of keys and the ability to re-key entire buildings at no cost. Interestingly enough, discussions have begun to integrate these solutions with major access control software, so key management can be integrated into identity management. What a powerful combination!

 

xt images

This is NOT Traditional Electronic Access Control!

While there are features in common, the real value becomes clear as the next generation of key control. I have seen it used as an access control solution, but in that application it offers a limited feature set, primarily: electronic credential management, schedules and audit trail. Just as a quick measure, the solution is roughly 1/5 to 1/10 the cost of traditional card access control per opening.

Risk Mitigation

Traditional key management touches so many roles: property managers, facilities managers, security managers and yes, risk managers. Now that current technology options exist for key control, those responsible for risk management should be looking at this type of solution long and hard. If we stop sweeping under the rug the issue of lost master keys and the high probability of the associated vulnerability it represents, the ROI becomes VERY clear. At a minimum, this tech makes sense for all exterior doors. Common locksmith practice is to key exterior doors separately, because of the probability of lost key events. Instead of the mechanical interim solution, deploy something more permanent and eliminate recurring re-keying costs.

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be a personal professional blog. The content reflects my observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed reflect a personal viewpoint and do not in any way represent the position of any other person, organization or company.

Posted in Identity Management, Integration, Physical Security, Technology | Tagged , , , , , , , | Leave a comment

Reality Check: Critical Info Transmitted via Simple Bit Data?

Trusted Info

What Information Should We Trust?

In business meetings recently, the issue of data encryption arose and it jolted me back to reality. Most physical security professionals seem to think Information Security (InfoSec) – IS ONLY – IP Security (IPSec). Everyone wants to discuss data security issues related to IP Infrastructure. That is the MORE secure data infrastructure associated with Physical Protection Systems today and needs only minor attention.

In Wiegand We Trust?

Too many professionals today think only in terms of secure data transmission from the controller to the server, but the greatest vulnerability is actually from the reader to the controller! Two copper conductors (+ground) carry bit format identity data (Wiegand) from the reader to the controller in what must be over 90% of the installed private sector systems currently installed. When I explain this to security engineers, they look at me like I am from another galaxy, far, far away (are the Star Wars references getting old?)… but then for some it dawns on them… and I get the question: what are my options?

Encrypted IP Data from the Card Reader?

Several companies already have products offering IP Data solutions, but the breadth of the available product is limited. As a result, all the major security software developers are moving toward an encrypted serial data protocol that I have mentioned on this blog before: Open Supervised Device Protocol (OSDP). It definitely has its advantages over Wiegand… but I must ask, what the heck is the industry doing? 

Encrypted Serial Data Preferred Over Encrypted IP?

Do we in the security industry truly believe we are doing the end-user community a service by introducing a decades old technology that will need to be replaced in 5-10 years? Yes, I understand the idea of isolating data AWAY  from the vulnerabilities of the LAN/WAN infrastructure, but do we really believe system specific serial networks will be the future of security systems?

Information & Data Security FINALLY Addressed in Physical Security

OK, I am very happy to see Physical Security equipment manufacturers finally understanding the horror seen in an I.T. Director’s eyes when they are first told your IP Controllers will be installed on THEIR network. None of us can afford to be disengaged from this discussion. Card Access and Intrusion design must express as much concern for data security, as physical deterrence features. OSDP is being introduced to address this concern.

SMART  Technology Investment

Security Directors consider this topic carefully, especially those of you collaborating with I.T. Directors… If we all agree that data vulnerabilities should be addressed and funding has been allocated to mitigate the risk, shouldn’t you be investing in the latest technologies? IP Data via LAN/WAN Infrastructure CAN be secure, if it is designed properly. If your technology partners do not offer solutions that can provide this, apply pressure for them to develop it. IP-Based Technology AND Solutions have been available for years now.

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be his personal professional blog. The content reflects personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect personal viewpoints/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Data Security, Physical Security, Technology | Tagged , , , , , , , , , , , , , , | 1 Comment

Maintaining Relevance in a Dynamic Landscape

relevance

Now, there’s the rub! Is the consultant addressing topics relevant to the client’s perceived need, or just addressing his/her area of expertise?

We live in a world where organizations face a diverse array of threats. The daunting task of the Security discipline is assessing the associated risk and prioritizing limited resources to address mitigation. During the discovery process, sometimes I can see clients running through the inventory in their heads… controlled access, monitored access/intrusion, forensic or active video surveillance, hardening networks, improving identity management, information security (etc.). The validity of such an assessment depends heavily on understanding the values and mission of an organization. Protecting assets can take many forms: human, equipment, financial and intellectual resources, even a company’s reputation.

How does a prospective client determine which potential partner can provide the greatest value in addressing their needs?

The key deciding factor should be a demonstrable understanding of the unique environment in which each organization operates and the challenges faced. As specific expertise seems to be required, the understanding narrows to smaller and smaller subsets of potential threats… and relevance slowly diminishes.

Maintaining Relevance

The majority of end-users depend on their partners (consultants/contractors) to help them understand their vulnerabilities and address them effectively. In a security continuum where there are so many competing messages, most value propositions tend become garbled and difficult to evaluate. Let’s look at perceived value defined for a few different disciplines:

Physical Security

Dealing with theft, external and internal violence, unauthorized access to critical areas, vandalism (etc.), a physical security focus brings the tried and true principles of detect, delay and deter concepts. There tends to be numerous vulnerabilities in this category that require experience and training to address. The complexity of designing site, building perimeter and interior security solutions can be difficult to perform effectively, requiring years of experience with cameras, sensors, reader technologies and their integration.

Identity Management

In my opinion, this is a category unto itself. I have run into very few physical security professionals that understand this discipline well. Identity management is NOT printing a photo on an access control badge.  It represents using Active Directory Services to achieve authentication in BOTH LAN/WAN/Cloud data communication and Physical Protection System (PPS) environments.

Hardening Networks

Encryption, Encryption, Encryption. Why are IP networks fully encrypted, while access and intrusion monitoring data infrastructure is not? Food for thought, 128 bit AES encryption is not the highest order of encryption… Is physical access to switches and servers strictly controlled?

Information Security

I am now being asked, “do software apps managing access control use open source code?” Do IP Edge devices (controllers, cameras, etc.) have protection schemes for Denial of Service (DOS & DDOS) Attacks? Does all data communication utilize password protected encryption keys? Is dual authentication available? Can credential technology support network identity management? There is an answer for each of these questions in both network and application environments. Let’s get engaged and begin the discussion…

Relevance is TEAMWORK!

The most difficult transition I had to make in my long career, was moving from an individual to team performance focus (topic for another article). The complexity of leading technologies, latest software and evolving threats demand specialists able to address these areas both individually and together. Any one person working independently is unlikely to grasp the entire picture. The answer is to bring a team together with a basic understanding of these disciplines and capable of coordinating design and deployment to deliver the best solutions addressing the client’s broader needs.

So, which discipline offers the greatest security value? None individually… the best risk mitigation will always come from effective multi-discipline teams!

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Cybersecurity, Data Security, Information Security, Physical Security, Technology | Tagged , , , , , , , , , , | Leave a comment

Security Automation: Responding to Disruptive Technology

giraffe.mediator

Is this War, or an Opportunity?

After taking a short few weeks to investigate the InfoSec space and speak with several ISC2 certified CISSP’s… it would appear the convergence and overlap of Data and Physical Security is creating misconceptions regarding roles for effective protection of assets. A few gentlemen I spoke with felt Physical Security is merely a subset of the much broader Information Security category. The comment really had me thinking. This perception must certainly be caused by poor communication between the two disciplines.

How do we fix this?

Demand for convergence is so high with end-users, InfoSec needs are starting to drive Physical Security requirements. As Physical Security Professionals, if we don’t start embracing this trend, the new CISO executives will  become THE “C” suite security officers.

As I begin to engage both sides of this debate, I sense both curiosity and competitiveness emerging. On the ISC2 side, some have expressed the belief they are better prepared and uniquely qualified to handle BOTH Information AND Physical Security management, planning, design, etc… The InfoSec world is very aware of Physical Security, while I find the reverse is not necessarily true. On the ASIS (American Society for Industrial Security) side, InfoSec is being seen as a parallel industry, with little impact on our disciplines and trades. Neither of these viewpoints is close to the truth. Successful people are bound to tap into their competitive nature and whether this translates into a perceived advantage, or ignoring the convergence… this is the wrong track. I have been sharing a message for all who would hear for a year now… the bright new future will require both disciplines in cooperation, to properly deploy security plans/systems.

Embracing the “Dark Side”

Okay, so maybe the title is a cheap “Star Wars” rip-off, but it truly represents the challenge. In the recent IP Video Camera years, most traditional security contractors struggle with LAN/WAN connectivity and data security. Typical proposals exclude any associated impact on network infrastructure. In the past three years, I have heard it said to the end-user so many times, my head hurts: “the connection to the network is not my problem.” Conversely, I am also tired of the I.T. Director telling me: “you will not put that cr@p on my network!” This has to be a two-way street. For effective protection of assets, the answer should come from both sides embracing each other’s world and finding the compromise somewhere in the middle.

Compete with InfoSec and I.T., or Partner?

Choosing ignorance and denial and competing with cabling/network contractors and InfoSec consultants will not be a successful strategy in the long-run. LAN/WAN/Cloud is here now and is the data solution of choice for the private sector. It is clear, the best answer will come from education. ASIS and ISC2 should be pursuing an industry alliance. We need to look at each other’s value and find where they compliment each other in the planning and successful deployment of systems.

Defining Roles and Examining Cooperation

In the future, I will attempt to examine what that cooperation might look like and how to define and separate roles. I will attempt to look at this from both sides and find the path to the middle. I am looking forward to the challenge and I hope to learn much along the way.

If you would like to discuss this, or other security topics, please contact me via LinkedIn. Also, take a look at my LinkedIn Discussion Board Security Convergence, or my Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Cybersecurity, Data Security, Information Security, Physical Security, Technology | Tagged , , , , , , , , , , , , , , | Leave a comment

Security Fears vs. Awareness

Funny-Perspective-cartoon_zps3aa62091

I had an interesting conversation last year with a Data Security Consultant, Mark Turturo, CISSP. I have been working since then to better understand the mission of these professionals and their relevance to the physical security specialist. I operate in a business community dominated by ASIS certified CPP’s and PSP’s and BICSI certified RCDD’s.  There has been slow progress, but I am coming to understand how an ISC2 certified CISSP can impact security design and the role they play in vulnerability and risk assessment.

Examining Related Industries

I have spent an entire career learning how to design and deploy solutions that Deter, Delay and/or Detect physical access to a site, or building. What I have come to learn is this is only the beginning in the bigger picture…

In a Physical Protection System design capacity, I rarely thought to assess vulnerabilities introduced by the data infrastructure, or the software application(s) supporting its functionality. The CISSP offers the perspective that evaluates these concerns and more. I spent 90 minutes discussing securing source code, data encryption formats and not just identity verification, but data source authentication. My head was spinning! Previously, my design concerns were focused on better integration and inter-operability and now I realize, these are just a few of the coming challenges we will be facing.

This category of consultant pulls back the curtain and questions the secure nature of the platforms we physical security professionals regularly deploy without question. This idea of software and networks having a “back door” is scary stuff! I typically think of my greatest challenge as asset protection, but without data security ensuring the integrity of these systems… it all becomes irrelevant.

Fear Versus Awareness

Mark and I worked our way through data security concerns such as hackers capitalizing on network vulnerabilities and malicious code in firmware and drivers, in addition to core applications. My first thought as I was listening to Mark was, “this is too advanced for the average end-user”, but I am learning these attacks are becoming a common occurrence. As I evaluate the importance of the contribution offered to systems design by the information security consultant, it is becoming clearer… the physical security industry should be keenly aware of the influence this other discipline is having on our common clientele. The typical security contractor still regularly deploys old card access credential technologies where digital identities can be cloned and data transmission technology can be simply intercepted to spoof credentials. There are technologies available today to eliminate these vulnerabilities… why isn’t the physical security community discussing these issues with clients? I understand these topics can cause fear in the user community, but isn’t it our responsibility to provide proper advice regarding the entire spectrum of risk and liability? If this does not become part of a physical security consultant’s repertoire… our relevance will be put into question. Here is a great example… McAfee produced a white paper on Proximity Card vulnerabilities at: McAfee White Paper. Why does McAfee (Anti-Virus  Developer) feel the need to be evaluating physical security credential technology?

Where Next?

I will be making this education a priority in coming months. I am hoping to have my employer authorize trips to events such as: RSA Conference, BlackHat Briefings and ISC2 Secure Events. I will be reaching out to more data security professionals and searching for convergence in our disciplines… actively looking for areas we can find partnership in adding value for our common clients. It is my hope that strategic alliances will bring these two perspectives together.

A BIG thank you to Mark Turturo for a beginning education into his world! Douglas Levin is a consultant employed by ASSA ABLOY.

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Cybersecurity, Data Security, Physical Security, Technology | Tagged , , , , , , , , , | Leave a comment