martes, 31 enero 2023
Visitas totales a la web: 88309560

El portal de los profesionales de seguridad y emergencias

Nº 1 del mundo en español en seguridad global

Soluciones de seguridad global

Three Cybersecurity Risk Issues to Consider with Surveillance System

Elisa Costante is vice president of research at Forescout Technologies, Inc.

Connected physical security equipment, like networked surveillance cameras and smart access control systems, offer many advantages for facility and safety managers responsible for securing the premises of retail, industrial, government, and other organizations. Integrated IP-video recording systems with cloud-based recording and administration features are popular among users with little time to purchase and integrate different camera, cabling, and video storage hardware.

Research on this physical security slice of the Internet of Things (IoT) device market and real world events, however, show adoption of these systems introduces complex cyber risk issues.

In 2020, our Forescout Research Labs team set out to identify the top 10 riskiest IoT devices as part of an exhaustive study analyzing 8 million devices across more than 500 enterprise deployments. We looked at factors like the frequency and severity of vulnerabilities discovered in these platforms and unique risks posed by where and how they are typically installed. Physical access control systems were the riskiest class of devices. Building HVAC systems came in second, and connected camera systems came in third. The fact that in-demand physical security and camera systems claimed two of the top three categories shows the scale and stakes of cyber risk management around these systems.

These risks must be assessed and handled jointly, typically by otherwise very different teams focused on the safety of employees and facilities versus the security of corporate networks and data. Here are a few crucial principles to bear in mind.

A well-managed deployment is a secure deployment.

Who Will Own the Devices—and Their Attack Surface?

Physical and cybersecurity professionals need to collaborate more than ever because they are both accustomed to the relentless change and consequences of risks to business operations, particularly more than a year into the COVID-19 pandemic.

Connected cameras are a great example of where these worlds collide. A facility manager might have the authority to evaluate, purchase, and deploy cameras—working almost exclusively with the camera vendor to take delivery of the devices, install them via Wi-Fi on the network, and set-up credentials to remotely administer the system’s footage and recordings.

While this sounds like an isolated project, in reality each of those cameras add new computing devices to the network with their own operating system, IP stack, and other software features. Any of these can contain vulnerabilities or otherwise expand the total digital attack surface falling under cybersecurity teams’ responsibility.

A well-managed deployment is a secure deployment, so establish up-front who is responsible for data and imagery these devices gather, versus their security footprint. In practice, this means physical and cybersecurity teams identifying where cameras will be physically be installed and ensuring they have a grasp of which networks the cameras will need to access as part of the deployment. It is important to make sure network segmentation is in place isolating cameras and other IoT devices away from more sensitive facility equipment and IT assets.  

Keep an Eye on Third-Party Risk

Today, the reality with connected cameras and other physical security controls is you are seldom buying just a camera, badge reader, metal detector, or other hardware. There is usually a private cloud or other networked function embedded by the equipment’s manufacturer. Sometimes, this connectivity is an active feature set—like the ability to view and manage devices on the fly from a mobile app. Other times, connectivity is more hidden. A vendor may require the device to access the Internet through your network for things like warranty eligibility or product updates.

The common denominator is you end up opening your network to an entire third-party ecosystem, whether you realize it or not. Users ignore this risk at their peril; it cannot go unmanaged.

In the case of the recent Verkada camera breach, for example, an intruder was able to obtain login credentials that let them access Verkada’s independent back-end cloud platform. This, in turn, meant the intruder could peer into the video feeds of numerous Verkada camera systems deployed around the world—unbeknownst to those customers.

Users ignore this risk at their peril; it cannot go unmanaged.

Verkada is simply one high-profile case. These types of cloud-powered camera systems are used everywhere and have clear deployment, usability, and performance advantages. Do not lose sight of the fact that you inherently shoulder increased third-party risk when you bring service providers on your network, meaning you need to understand how you and the vendor will handle things like credentials and data storage.

Lea aquí el documento completo

Fecha de publicaciónjunio 01, 2021

BELT.ES no se hace responsable de las opiniones de los artículos reproducidos en nuestra Revista de Prensa, ni hace necesariamente suyas las opiniones y criterios expresados. La difusión de la información reproducida se realiza sin fines comerciales. 

Listado de Expertos


Profesión militar: Obediencia debida frente a la obligación de disentir

Con ocasión de la realización de estudios en el Instituto Universitario Gutiérrez Mellado tuve la ocasión de leer y analizar una serie de documentos de opinión que trataban en profundidad las diferentes facetas presentes en el campo de las relaciones cívico-militares; temas que , habitualmente, no han estado presentes en los diferentes cursos y actividades formativas en la enseñanza militar, ni, por supuesto, en la civil.

El amor de Macarena Olona por la Guardia Civil empieza por su pareja, un joven oficial condecorado

El padre de su hijo llegó a la Benemérita como militar de carrera y, los que le...

La artillería ‘made in USA’ comprada por Marruecos que deja fuera de juego a España

El país magrebí sigue reforzando sus fuerzas armadas a golpe de talonario, y no lo hace de...

Últimas noticias

El Plan de seguridad. (El Esperado modelo estatal para eventos)

La seguridad de un evento deportivo o recreativo requiere objetivos, planificación, dotación, implantación y evaluación de resultados.

Sistemas de Extinción por Gas: Manual Práctico para el Diseño, Instalación y Mantenimiento

Este Documento Técnico tiene como objetivo dar a conocer las peculiaridades de los Sistemas de Extinción por Gas, sus puntos fuertes y...

A CSO’s challenge for building a global risk strategy

Without a strategy, security plans are almost impossible to implement, and C-suite engagement can be jeopardized Global security risks...

Este timbre para bicicletas es el lugar perfecto para esconder un AirTag sin que los ladrones lo sepan

Los AirTags de Apple desbancaron con su nacimiento al resto de opciones del mercado entre los usuarios de Apple. Esta solución de rastreo se...

Este timbre para bicicleta es el lugar perfecto para esconder un AirTag sin que los ladrones lo sepan

Bajo un timbre o un portabotellas, esta compañía ha ideado unos escondites para colocar los rastreadores a prueba de robos y pérdidas.