How to select a cyber-responsible access control vendor? We provide a strong system hardening vendor checklist.
More and more, security devices are connected to the Internet and are subject to various types of cyberattacks and threats. As such, the end user should select products that are hardened and secure. Identifying a cyber-responsible vendor with a good track record in providing such products, then, becomes important for systems integrators (SIs) and users.
Being networked equipment, security solutions such as video surveillance and access control systems are equally as vulnerable to cyberattacks as other devices on the Internet. Trend Micro, for example, has said it blocked more than five million cyberattacks against IP cameras over a five-month period. According to the Unit 42 IoT Threat Report for 2020, security cameras make up only 5 percent of enterprise IoT devices, but they account for 33 percent of all security issues.
To ensure cybersecurity, security vendors engage in system hardening to protect products from hacking. It’s imperative, then, for end users and SIs to get their products from cyber-responsible security vendors. “It’s not enough that products are aesthetically pleasing and intuitive to use – products should be assessed for in-built defensive qualities within even the smallest parts of a system,” said Steve Bell, Chief Technology Officer of Gallagher
So how should the end user identify a cyber-responsible security vendor? According to Bell, a strong cyber vendor is one who:
• Designs cyber protective measures into all parts of their system – this entails defense in depth, or having layers of security and being diligent on each layer to ensure it is as strong as possible; and enforcing least privilege, where any person or device should only have enough privilege to interact with the system that is required to complete the required actions, as any extra privilege may allow an attacker to take advantage of some other weakness that gives them control of another part of a system.
• Aspires to meet robust credential standards, such as MIFARE DESFire EV2 and the FIDO Alliance specifications.
• Has empathy for the IT security professional with a security hardening guide, allowing them to mitigate risks they deem important.
• Undertakes regular internal and external penetration testing to ensure solutions are hardened and secure.
• Aspires to be a CVE Numbering Authority, which grants the authority to publish security vulnerabilities identified within their own product suite.
• Offers a security health check to assist sites with identifying and responding to any vulnerabilities.
• Offers a business integrated security solution that goes beyond opening and closing doors. “While not exclusively related to being a cyber-responsible vendor, as a physical security system provider we believe that there are additional functions that can be added to the physical security infrastructure installed on customers’ sites,” Bell said. “The business integrated solutions include visitor management, locker management, carpark / parking lot management and competency management.”
A checklist on what the end user can do
It should be noted that the hardening of a cyber-secure security system is not a one-way street. In addition to vendors putting secure features in their products, there are things the end user can do to ensure the cybersecurity of their security system. Bell lists them as follows:
- Make sure that all operating systems are kept patched.
- If the security system has released some security updates, then they should be installed.
- Provide security awareness communication to the entire staff regarding using access cards at all doors. For example, be aware of strangers following you in when you open the door.
- Check that security system operators are all using their own login, have only their own access privileges, and changes are logged against the person that made them.
- Review how an operator checks who is asking for an action to be performed before doing it. For example, when somebody rings to ask the operator to open the loading dock door, how do they verify the request came from the supervisor?
- Review the use of various card technologies. 125Khz cards and MIFARE Classic cards are easily copied. “We know of an example of a Year 9 (approximately 13-year-old) student at a school making a copy of a teacher’s MIFARE Classic card,” Bell said.
Working together to ensure cybersecurity
With IoT, end users are faced with cyber threats that are bigger than ever; the current pandemic leaving employees across the globe working remotely has also heightened threats against company networks and assets. Against this backdrop, choosing a respected and responsible security vendor with a deep commitment to cybersecurity has become key for SIs and end users. The end user can also equip themselves with good cybersecurity knowledge. Only through vendors’ secure products and users’ best practices can the cybersecurity of a security system be kept at an optimal level.