December 11, 2018

Questions to Ask Your Potential Security Company About Internet Connected Access Control/surveillance Systems

Many security systems are installed on a business network by electricians and security installers that have very little knowledge and experience on how the system once installed will impact a business’ network and its systems.

Many of these devices may very well poke holes in a client’s network systems that can allow a cybercriminal unfettered access to the data environment.

With ever-increasing attacks on business information systems, it is especially more critical than ever that the security firm you are planning to hire understands many of the basic data security practices related to the product it is installing. If they don’t understand the ramifications, your business data and its systems may be exposed to cybercriminals without your knowledge.

How does a Router differ from a Network Security Appliance (UTM)?
Both are designed to provide protection, and the main purpose of both is to prevent any sort of harmful/malicious software programs from entering the network. However, even though their main task is similar, both firewalls and UTM Appliance are quite different from each other. A Unified Threat Management Appliance is a much more powerful security tool as compared to a standard firewall. A UTM appliance provides maximum security against all incoming viruses. However, whereas the firewall is mainly concerned with the flow of data packets, a UTM appliance has a more diverse range of functions. A UTM appliance can balance the load in a network, can prevent any sort of data leaks that might occur, it provides a gateway antivirus, network intrusion prevention as well as on reporting too.

Do you understand network segmentation?
Network segmentation in computer networking is the act or practice of splitting a computer network into subnetworks, each being a network segment. Advantages of such splitting are primarily for boosting performance and improving security. Segmentation is especially critical when placing an ioT device on a business network. It will isolate vulnerable systems from the data environment to prevent cybercriminals from breaching the system and gaining access to protected data.

Do you know what a VLAN is?
VLANs provide a number of advantages, such as ease of administration, confinement of broadcast domains, reduced broadcast traffic, and enforcement of security policies. VLANS are important when using Network Segmentation. SMART Network Switches provide VLANS and Segmentations.

How do you plan on protecting my new security system from cyber criminals?
Make sure passwords are as complex as possible. While this advice may seem like common sense to many IT professionals, it’s important to note that some IoT devices have vendor-supplied default passwords — used to initially configure the devices — that are difficult to change or cannot be changed.

Cybercriminals can be aware of what that password is, and they can then use that to gain control of the device. Passwords are the weakest link in a network and any device or system should use complex passwords to prevent easy access.

Have you checked the system you propose with the National Vulnerability Database (CVE)?
CVE is a program launched in 1999 by MITRE and is sponsored by US-CERT, within the Department of Homeland Security to identify and catalog vulnerabilities in software or hardware. It is a free “dictionary” for organizations to improve their security. The dictionary’s main purpose is to standardize the way each known vulnerability or exposure is identified. The CVE allows security, network administrators and IT professionals to access technical information about a specific threat across multiple systems and how to address these vulnerabilities. Systems such as surveillance recorders, cameras, access control controllers and software and other iOT devices are listed on this database and any installation company should understand how reference this database to minimize cybercriminal access to a customer’s data network.

How will my new security system impact my PCI compliance?
Many of these devices have the ability to be remotely controlled and connected. This ability to connect to and integrate devices to communicate with each other may provide a better lifestyle for the consumer. PCI-DSS is a strict security standard to mitigate cybercriminal access to credit card data. This standard has strict security controls to prevent access to cardholder data. Many networked security systems are not PCI-DSS compliant. Without implementing sufficient security controls, a breach of IoT devices can lead to severe consequences. There may be legal implications and financial penalties to vendors/businesses that lose sensitive consumer data which may include personal information or private details of their home network. Finally, there is a breach of customer trust which can have damaging PR consequences and can impact future sales, services and/or profitability

Make sure your security provide understands PCI-DSS and how to protect your new security system from accessing your cardholder data network.

What are you doing to ensure the system I am purchasing and installing conforms to cybersecurity standards and good practices?
Many of these systems have defaults that are not proper for installation on a business network. These defaults can compromise the business network allowing cybercriminals in. Some key points to consider:

  • Keep firmware and software up-to-date.
  • Manufacturers will make fixes and patches for vulnerabilities available. Yet, these will not be effective unless end users and installers / integrators download them onto the cameras.
  • Apply user names and passwords.
  • Do not keep any default settings, but change these to unique user names and sufficiently strong passwords. Hackers may only need the IP address of a camera to access it through the internet remotely if they can use a default password.
  • Use network segmentation.
  • Put your cameras and other critical I(o)T systems behind routers and firewalls.

How will my new system expose my network to DDoS attacks?
A DDoS attack or a  distributed denial-of-service (DDoS) attack occurs when Cybercriminals flood the resources of a targeted system such as webservers. This often cripples the targeted system bringing the business’ data network to a crawl. It is also a tool for a Cybercriminal to gain access to protected data by overwhelming the network systems.
DDoS attacks increased 91% in 2017 thanks to IoT! In Q3 2017, organizations faced an average of 237 DDoS attack attempts per month. Many of these devices are deployed in the business environment without properly changing default passwords, some are even left blank or have the default password of PASSWORD. Make sure your security vendor maintains proper password/credential best practices.

As a business owner or IT administrator, performing the basic due diligence when interviewing security vendors will save you. Your business information systems and your data are assets that are irreplaceable and once compromised, the damage to your business and reputation can’t be reversed. 

Keystone Security Systems not only has 30 years of security experience but also has 15 years of Corporate IT Security. No other security company can match our experience and knowledge of information systems and security.