miércoles, 1 diciembre 2021
Visitas totales a la web: 87059501

El portal de los profesionales de seguridad y emergencias

Nº 1 del mundo en español en seguridad global

Soluciones de seguridad global

Three Cybersecurity Risk Issues to Consider with Surveillance System

Elisa Costante is vice president of research at Forescout Technologies, Inc.

Connected physical security equipment, like networked surveillance cameras and smart access control systems, offer many advantages for facility and safety managers responsible for securing the premises of retail, industrial, government, and other organizations. Integrated IP-video recording systems with cloud-based recording and administration features are popular among users with little time to purchase and integrate different camera, cabling, and video storage hardware.

Research on this physical security slice of the Internet of Things (IoT) device market and real world events, however, show adoption of these systems introduces complex cyber risk issues.

In 2020, our Forescout Research Labs team set out to identify the top 10 riskiest IoT devices as part of an exhaustive study analyzing 8 million devices across more than 500 enterprise deployments. We looked at factors like the frequency and severity of vulnerabilities discovered in these platforms and unique risks posed by where and how they are typically installed. Physical access control systems were the riskiest class of devices. Building HVAC systems came in second, and connected camera systems came in third. The fact that in-demand physical security and camera systems claimed two of the top three categories shows the scale and stakes of cyber risk management around these systems.

These risks must be assessed and handled jointly, typically by otherwise very different teams focused on the safety of employees and facilities versus the security of corporate networks and data. Here are a few crucial principles to bear in mind.


A well-managed deployment is a secure deployment.


Who Will Own the Devices—and Their Attack Surface?

Physical and cybersecurity professionals need to collaborate more than ever because they are both accustomed to the relentless change and consequences of risks to business operations, particularly more than a year into the COVID-19 pandemic.

Connected cameras are a great example of where these worlds collide. A facility manager might have the authority to evaluate, purchase, and deploy cameras—working almost exclusively with the camera vendor to take delivery of the devices, install them via Wi-Fi on the network, and set-up credentials to remotely administer the system’s footage and recordings.

While this sounds like an isolated project, in reality each of those cameras add new computing devices to the network with their own operating system, IP stack, and other software features. Any of these can contain vulnerabilities or otherwise expand the total digital attack surface falling under cybersecurity teams’ responsibility.

A well-managed deployment is a secure deployment, so establish up-front who is responsible for data and imagery these devices gather, versus their security footprint. In practice, this means physical and cybersecurity teams identifying where cameras will be physically be installed and ensuring they have a grasp of which networks the cameras will need to access as part of the deployment. It is important to make sure network segmentation is in place isolating cameras and other IoT devices away from more sensitive facility equipment and IT assets.  

Keep an Eye on Third-Party Risk

Today, the reality with connected cameras and other physical security controls is you are seldom buying just a camera, badge reader, metal detector, or other hardware. There is usually a private cloud or other networked function embedded by the equipment’s manufacturer. Sometimes, this connectivity is an active feature set—like the ability to view and manage devices on the fly from a mobile app. Other times, connectivity is more hidden. A vendor may require the device to access the Internet through your network for things like warranty eligibility or product updates.

The common denominator is you end up opening your network to an entire third-party ecosystem, whether you realize it or not. Users ignore this risk at their peril; it cannot go unmanaged.

In the case of the recent Verkada camera breach, for example, an intruder was able to obtain login credentials that let them access Verkada’s independent back-end cloud platform. This, in turn, meant the intruder could peer into the video feeds of numerous Verkada camera systems deployed around the world—unbeknownst to those customers.


Users ignore this risk at their peril; it cannot go unmanaged.


Verkada is simply one high-profile case. These types of cloud-powered camera systems are used everywhere and have clear deployment, usability, and performance advantages. Do not lose sight of the fact that you inherently shoulder increased third-party risk when you bring service providers on your network, meaning you need to understand how you and the vendor will handle things like credentials and data storage.

Lea aquí el documento completo

Fecha de publicaciónjunio 01, 2021

BELT.ES no se hace responsable de las opiniones de los artículos reproducidos en nuestra Revista de Prensa, ni hace necesariamente suyas las opiniones y criterios expresados. La difusión de la información reproducida se realiza sin fines comerciales. 

Listado de Expertos

Recomendado

Profesión militar: Obediencia debida frente a la obligación de disentir

Con ocasión de la realización de estudios en el Instituto Universitario Gutiérrez Mellado tuve la ocasión de leer y analizar una serie de documentos de opinión que trataban en profundidad las diferentes facetas presentes en el campo de las relaciones cívico-militares; temas que , habitualmente, no han estado presentes en los diferentes cursos y actividades formativas en la enseñanza militar, ni, por supuesto, en la civil.

El amor de Macarena Olona por la Guardia Civil empieza por su pareja, un joven oficial condecorado

El padre de su hijo llegó a la Benemérita como militar de carrera y, los que le...

El paracaidista español que humilló a los «temibles» espías soviéticos

Joaquín Madolell, natural de Melilla y militar del Ejército del Aire, desarticuló la mayor red del espionaje...

Últimas noticias

Guerra fría: Una guía fascinante de la guerra de Corea y la guerra de Vietnam

La Guerra de Corea: Una Guía Fascinante de la Historia de la Guerra de CoreaLa Guerra de...

Sí, las matemáticas resuelven problemas reales y estos son algunos ejemplos

La modelización matemática es útil en múltiples aplicaciones, entre ellas controlar un incendio. Uno de los objetivos que tenemos...

Así es el duro entrenamiento militar de Elisabeth de Bélgica, ¿para cuando el de Leonor?

A sus 19 años, la joven ha sido la primera heredera de su generación en someterse a una entrenamiento similar.

¿Qué es el Plan Interior Marítimo?

Conoce las características esenciales de los planes que deben tener empresas y autoridades portuarias frente a la contaminación medioambiental marina.

Manual de ciberinvestigación en fuentes abiertas: OSINT para analistas

OSINT y ciberinvestigación. Arriesgar con dos términos tan populares y sobreutilizados para los títulos de este libro no es casualidad. Pese a...