Attacks/Breaches
1/2/2014
01:14 PM
Fredrik Nilsson
Fredrik Nilsson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
100%
0%

Physical & Network Security: Better Together In 2014

How ready are you for the day you discover there are more networked IP security cameras than laptops in your infrastructure – and none adheres to 802.1x standards?

When you think about security, you probably think about the IT side of the equation: firewalls, encryption, and VPNs. There is another group in your company that also thinks about security constantly, but in their daily routines, the lingo is CCTV, proximity cards, intrusion detection, and monitoring. Until now you probably have not interacted with them too often, especially given the siloed reporting structures within most organizations. However, that is all changing as physical security is fast becoming front and center in the IT world.

In this new world the two groups must come together to achieve the shared goal of a secure organization. How safe is your server room if you have the latest firewall technology, but an ex-employee can walk into the office with an old badge? What do you do when you find out one day that there are more security cameras than laptops on your network infrastructure, and that they do not use 802.1x, which you require on all network ports?

Photo Credit: Amin Tabriz from  Flickr
Photo Credit: Amin Tabriz from Flickr

While territoriality and control issues still exist between physical and IT security regimes within an organization, the role of the network (IT’s domain) in physical security technology is vital. At the same time, insider threats and intruders are getting increasingly sophisticated and bold, blending IT techniques with entry points through the physical perimeter. By sharing information, access, and analysis, it’s now possible to achieve a unified physical and IT security strategy. 

Physical security for the IT-minded
Video surveillance has been around for the last 30 years, but the systems have mostly been proprietary and managed by a separate team. Today, that is rapidly changing, in parallel with ever increasing security risks. Now, video systems are running on the same IP network as the rest of the company’s IT applications. There are millions of networked cameras installed worldwide. Following suit, access control systems leveraging the corporate network are not far behind.  

Not only does this make the system much easier to integrate with logical security, but it can also improve system capabilities and reduce costs. This is where IT comes in, because when the C-suite sees cost savings in an operational improvement, they will push to immediately implement those changes. For example, in an increasingly connected world, physical and IT security are intrinsically intertwined. So, if you want to truly secure an organization, you will have to make sure it is safe from both a logical and a physical point of view. This is exciting. But it also represents a fundamental change that is difficult to impart and execute.

Why physical and IT security need each other
We’ve all seen the stories of hacked IP video surveillance cameras, like what was exposed last summer around the BSides Conference. The trend shines a spotlight on the need for proper credentials to access and manage IP surveillance cameras in the same manner as an organization would manage a customer database, an application, or a cloud service. The BSides hacking also demonstrates the importance of properly installing and managing video surveillance equipment to keep out rogue devices that could become a vulnerability targeted for exploitation.

IT needs to be involved in today’s IP-connected physical security infrastructure to ensure proper policies and procedures are in place, and to lock down devices and applications as entry points to the network and corporate assets. This includes the design of physical security technologies in the network, which should have the same logical securities as any other node, access point, or end point on the network. 

As an IT professional, I encourage you to proactively seek out the physical security team within your organization. Understand what you can do for them and what they can do for you. Understand the latest technology. Embrace the change that is coming, and unify teams and technologies for a common good. Physical and IT security: They’re good on their own but even better together. Just like chocolate and peanut butter.

Fredrik Nilsson is General Manager of Axis Communications, North America, where he has been instrumental in leading the industry shift from analog closed-circuit television to network video.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/7/2014 | 9:47:30 AM
Re: Power Over Ethernet - Driving these changes
Fredrik, I love your analogy comparing the relationship network security and physical security with IT and finance: Finance still cuts our checks, but IT might manage the online/payroll software. Within the past few years, IT has become more closely integrated with so many business functions in the enterprise, it's not surprising that the same should alignment should take place with physical security systems. I suspect that will only continue to grow as the IoT brings more physical elements into the IT security sphere. 
FredrikNilsson
100%
0%
FredrikNilsson,
User Rank: Apprentice
1/6/2014 | 10:53:06 AM
Re: Power Over Ethernet - Driving these changes
Lorna: You make a couple great points in this thread that are worth diving into more. In the article I did not mean to imply that physical security will report to the CISO – but rather, that IT needs to be aware that Physical Security is inevitably going IP and the CISO, CIO and/or IT team overall should prepare to work together with the department(s) who "own" video surveillance within their organization. Regardless, more cooperation and communication between physical security and IT is integral in an increasingly IP-centric world. In some companies we work with, the IT group has fully embraced the shift to IP and have taken full ownership of the system. In other companies, the IT group manages the infrastructure, but security/loss prevention/operations 'own' the video. In that case, it's akin to how finance still cuts our checks, but IT might manage the online/payroll software. In many small- to mid-sized organizations who do not have physical security or operations departments, the IT manager is essentially responsible for anything that plugs in. In each case, IT is increasingly more involved, so best to have open, engaged collaboration vs running separate networks.

The second point you call out is also an important detail. I agree the physical security domain is a specialized one, but want to emphasize that there is potential for tremendous cooperation between the two groups, physical security and IT. Physical security best practices from the security world married with IT best practices to run the infrastructure most efficiently can help both disciplines do their job better, and more efficiently. Overall, they simply both need to interact more, so the left hand knows what the right hand is doing, and neither get handcuffed (pun intended).
infosecxx
50%
50%
infosecxx,
User Rank: Apprentice
1/3/2014 | 6:21:01 PM
Re: Power Over Ethernet - Driving these changes
With my last employer, Facilities & IT had an established collaborative relationship which I feel evolved more over the three years I was with the company.  My former employer was a manufacturing company producing technical equipment.  Not only did they maintain the building but also all the tooling equipment on the manufacturing floor.  Relationship was required as we used their equipment (lifts & tools) for some jobs.  And we helped them with their systems and needs.  This proved essential as our site was relocated to a different city within the county (my last project with them as an employee).  We were able to inform facilities of where all the drops needed to be and requirements for the server room.  They were able to have a vendor execute to the scope.  IT was free to focus on IT equipment relocation & IT operations and not spend time on non IT infrastructure.  The added bonus as well is, they know the threshold of circuits and can assist in preventing high power loads.  Whenever the Facilities Department needed anything we jumped and they did the same for us.  I prefer to work in environments like this with all business units.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/3/2014 | 4:35:11 PM
Re: Power Over Ethernet - Driving these changes
Thanks, InfoSecxx, for the details on your PoE project and your advice for scaling up to an enterprise implementation. Sounds like you have a very collaborative relationship with your facilities team. Is that something that has evolved over time, or did it develop relative to the project? 
infosecxx
100%
0%
infosecxx,
User Rank: Apprentice
1/3/2014 | 4:23:09 PM
Re: Power Over Ethernet - Driving these changes
Authorization and assistance in planning was provided by the General Manager of the complex.  All cable connections (fiber-optic, Ethernet) was installed by licensed electric technicians (who were already involved with the remodel of the facility).  End point connections & device installation was completed by myself (IT Professional) as well as the additional IT infrastructure to support them.  Server & software configurations were completed by the General Manager [knowledgeable enough and knew what he wanted (technology can be beautiful sometimes]).  Monitoring and management of the video captures were also the responsibility of the General Manager.  Granted this was a lean company, however it was over a $20,000 investment which matched the quote offered to use traditional CCTV.  Though, the added value of the features and functions are priceless to the facility.

Scaling up to enterprise, I do not believe it would be much different.  Use the skills and tools offered by the Facilities Department to complete physical installs, including cabling.  The IT Department completes software installs and configurations on new or existing equipment.  Management of video capture and review should be left to either Facilities or other responsible Business Unit (they are capable).  In addition, all data & access is maintained by IT.

 
Susan Fogarty
50%
50%
Susan Fogarty,
User Rank: Apprentice
1/3/2014 | 12:44:29 PM
Re: Physical/virtual security
I guess it depends how you define a "typical company" -- I was thinking of a larger business that owns its buildings. And I agree you may definitely outsource the monitoring and response to a security company. But I think the actual infrastructure will converge with IT, along with everything else on the Internet of Things (for better or for worse!). IT pros, please chime in!
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
1/3/2014 | 11:16:21 AM
Re: Physical/virtual security
But can you do it cheaper, really? For a typical company that has shared space, physical security typically is baked into what you pay for rent. Picture going into a city high-rise with multiple tenants. The security guards, card scanners and other security elements are managed centrally. Now, once in your offices, IT runs those cameras and card scanners for access to restricted areas, if any. And of course, really large entities do more of their own physical security. But, this is a specialized area -- you may have an ex-cop with years of experience in how criminals operate running a security department. Can the CIO match that? It's not a gamble that CEOs tend to want to take. You're talking the physical safety of your workers.

I'm not arguing that it wouldn't be cost effective to consolidate. But it hasn't happened yet, and I think it'll take more than PoE to change the dynamic. We'll see!
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/3/2014 | 11:03:22 AM
Re: Power Over Ethernet - Driving these changes
Thanks for sharing your experience with Power Over Ethernet, @infosecx. Curious to know if the project was managed under the jurisdiction of the IT or physical security department, or a combination of the two.
Susan Fogarty
50%
50%
Susan Fogarty,
User Rank: Apprentice
1/3/2014 | 10:54:57 AM
Re: Physical/virtual security
I would equate the physical security system with the old company switchboard. For a long time we kept it as a separate entity just because that's what we always did. Security systmes will just become a part of corporate IT because it makes no sense to maintain a separate network or outsource it to someone else when you can run it internally over IP for a fraction of the cost.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
1/2/2014 | 4:46:24 PM
Physical/virtual security
People have talked about integrating physical and virtual security for years. But companies have largely decided to outsource the physical side of the equation to building management, or firms with that specialized knowledge, depending on their situations. I don't see any compelling argument that this is going to change. Maybe IT will nibble at the edges, taking on video and access cards, for example. But what's the financial incentive to wholesale bring physical security under the CISO?
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3562
Published: 2014-08-21
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

CVE-2014-3577
Published: 2014-08-21
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-...

CVE-2014-5158
Published: 2014-08-21
The (1) av-centerd SOAP service and (2) backup command in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary commands via unspecified vectors.

CVE-2014-5159
Published: 2014-08-21
SQL injection vulnerability in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary SQL commands via the ws_data parameter.

CVE-2014-5210
Published: 2014-08-21
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.